Officials at the University of Maryland (“University” or “UMD”) announced that UMD was the victim of a significant security breach that took place on Tuesday, February 18 (the “Breach” or “Incident”). The Incident, characterized as a “sophisticated computer security attack” by both the University’s President and the Chief Information Officer, exposed records containing the names, Social Security numbers, dates of birth and University identification card numbers dating back to 1998 of more than 300,000 UMD students, faculty and staff at the University’s College Park and Shady Grove campuses. The hackers who, according to UMD’s CIO, Brian Voss, had a “very significant understanding” of the University security framework” and “picked through several locks to get to the data,” did not alter UMD’s systems, but made a copy of the entire database containing the personal information.   While data breaches at educational institutions have become quite common (see below), the UMD breach is of particular note because complete Social Security numbers were part of the database and were part of the theft.

In an update on the Breach posted this morning on the UMD website, Voss announced that the University’s Police Department is continuing to investigate the Incident together with the U.S. Secret Service and that the University has been “working around the clock to ensure the breach has been contained and that other data systems are protected” and will “offer a free, one-year membership of Experian’s ProtectMyID Alert” to affected individuals. Voss also noted that UMD is partnering with MITRE, a systems engineering company specializing in cybersecurity, to analyze the Incident and prevent further attacks.

This latest security breach at a higher education institution is not only a reminder that security breaches are a reality of doing business, but also increasingly common. U.S. universities have been popular targets for cyber attacks in the past few years due to the large number of personal information records they store, and the relatively open state of their networks. In 2012, educational institutions reported nearly 2 million breached records.

Three questions for university CIO and CISOs:

  • What is your data retention policy?  (Do you really need to keep all former student/faculty information going back more than a decade?)
  • Do you retain Social Security numbers in student/faculty records for all purposes, or only in dedicated databases (e.g. Finance)?
  • When is the last time you reviewed your perimeter security and intrusion detection protocols for sensitive databases?

If you are a higher education institution, the question of the day is no longer whether you have adequate security protections in place to prevent a cyber attack, which is a MUST, but whether you have an adequate data breach response plan for when the cyber attack takes place.