Dear University of Maryland community:
Today marks one week since the date our University suffered a sophisticated cyber-attack. Again, I apologize to each and every one of you for this data breach. I want to update you on what we are doing to protect -- as best as we possibly can -- the personal, research, and financial data you have entrusted to us.
State and federal law enforcement agencies, the U.S. Secret Service, consultants from the MITRE Corporation, and our own campus IT security personnel are working together to find out how the attackers penetrated our multiple layers of security. This forensic analysis will enable us to defend against this type of attack in the future. It will also provide clues as to who were the attackers.
I have ordered an extension of credit protection services from one year to a full five years of coverage. This extended protection will be available at no cost to every person affected by this breach. To register, please call Experian at 1-866-274-3891. If you have already signed-up for the initial one-year protection, you will be automatically upgraded to five years so you do not need to call again. Please note that call volume may be high, and we appreciate your patience. All coverage is retroactive to the date of the breach.
Effective immediately, I am launching a comprehensive, top-to-bottom investigation of all computing and information systems. This includes central systems operated by the University and local systems operated by individual administrative and academic units. This investigation has three missions.
First, we will scan every database to find out where sensitive personal information might be located. Then, we will either purge it or protect it more fully in that database, as appropriate. There are thousands of databases throughout the campus, many created years ago when the environment for cyber threats was different.
Second, we will do penetration tests of the security defenses of our central and local information systems to identify and seal any possible technological gaps through which cyber criminals could get in to search for any information. These probes will be performed on an ongoing basis.
Third, we will review the appropriate balance between centralized (University-operated) versus decentralized (unit-operated) IT systems. There must be policy changes to accompany technical fixes. We understand the needs of individual units to control their own servers and databases. We must also ensure that safeguards at central and local levels are equally robust and tightly coordinated. Our University's entire cybersecurity system is only as strong as its weakest link.
To execute this threefold mission, I am forming the President's Task Force on Cybersecurity. It will be led by Professor Ann Wylie, who formerly held the positions of Provost, Vice President for Administration, and Chief of Staff to the President.
The Task Force will have experts from our campus, including from our Maryland Cybersecurity Center. They will be supported by a leading cybersecurity company with advanced hacking capabilities in order to expose potential vulnerabilities in our systems.
I have charged the Task Force to complete its investigation and submit its recommendations to me within 90 days. It will have the full support of my office and the resources it needs to complete its task. I will take all necessary actions based on the Task Force's recommendations and the results of the forensic analysis now underway.
Professor Wylie will also serve as interim Vice President for Information Technology, effective March 1. Our current vice president, Brian Voss, previously announced his retirement as of March 31. They will work together for a seamless transition. A national search for a permanent Vice President and Chief Information Officer is underway.
There is no impregnable barrier against every fiendishly skillful cyber-attack. Every day, there are thousands of probes of our defenses that we spot and thwart. We are not alone. In the past couple of years, some 20 large universities across the country have also reported major data breaches.
There is an arms race between hackers playing offense and universities playing defense. In 2012, we doubled our IT security staff and doubled our annual investments in cybersecurity. We will continue to make the necessary investments.
In today's digital world, each of us must take reasonable steps to ensure our own information security. Therefore, the University will present a series of identity theft seminars to all our students, faculty, staff, and alumni. The seminars -- which will also be recorded and later made available online -- will feature experts on how to safeguard your sensitive information.
Additional updates will be posted on www.umd.edu/datasecurity.
Because of the actions we are taking, I pledge to you that the University of Maryland will be even stronger, bigger, and better in the unremitting and global fight against cyber-crime.
Sincerely,
Wallace D. Loh
President, University of Maryland
Posted: 02/21/2014 at 12:25 pm
Dear USG Community:
We have received updated information from the University of Maryland, College Park (UMCP) about the UMCP ID card system data breach. Please see the following communication from Brian Voss, VP for Information Technology, UMCP for updated information about the breach and for services that can help to protect your identity. We will continue to provide information to you as we receive it.
Sincerely,
Stewart Edelstein
Executive Director, USG
EMAIL sent from Brian D. Voss, Vice President, Division of Information Technology, UMCP on February 21, 2014
Dear members of the campus community:
On Wednesday evening, we announced that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information. Since that time, we have been working around the clock to ensure the breach has been contained and that other data systems are protected.
The breached records included name, Social Security number, date of birth, and University identification number. No financial, academic, health or contact information was accessed.
To help protect your identity, we are offering a free, one-year membership of Experian's ProtectMyID Alert. This product helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.
Effective immediately, operators at Experian are standing by at 1-866-274-3891 (Monday-Friday 9:00 am-9:00 pm EST and Saturday-Sunday 11:00 am-8:00 pm EST) to answer general questions or concerns regarding this matter. Starting on Tuesday, February 25 at 9:00 am EST, you can call them directly to determine if your records were compromised and to register for your free year of credit protection. You must activate this service by 11:59 pm EST on May 31, 2014.
Once your ProtectMyID membership is activated, you will receive the following features:
- Free copy of your Experian credit report
- Surveillance Alerts for: Daily Bureau Credit Monitoring: Alerts of key changes & suspicious activity found on your Experian credit report.
- Identity Theft Resolution & ProtectMyID ExtendCARE: Toll-free access to US-based customer care and a dedicated Identify Theft Resolution agent who will walk you through the process of fraud resolution from start to finish for seamless service. They will investigate each incident; help with contacting credit grantors to dispute charges and close accounts including credit, debit and medical insurance cards; assist with freezing credit files; contact government agencies.
It is recognized that identity theft can happen months and even years after a data breach. To offer added protection, you will receive ExtendCARE, which provides you with the same high-level of Fraud Resolution support even after your ProtectMyID membership has expired.
Our investigation into the cyber-attack continues, and the University of Maryland Police Department is working with the U.S. Secret Service on this matter. Additionally, we have partnered with MITRE, a leading systems engineering company specializing in cybersecurity, to provide additional forensic analysis on how this attack happened, and how to prevent such attacks in the future.
We understand this breach is causing concern and consternation. Please know that we are doing everything possible to ensure the protection of your personal information as we move forward. If you have any questions, please contact us at datasecurity@umd.edu. Additional updates will be posted to this website: www.umd.edu/datasecurity.
Sincerely,
Brian D. Voss
Vice President, Division of Information Technology
Posted: 02/20/2014 at 12:31 pm
Dear USG Community:
We have been notified that the University of Maryland, College Park (UMCP) was a victim of a sophisticated computer security attack to the UMCP ID card system that exposed records containing personal information. Since this security breach affects those who have received UMCP or Universities at Shady Grove (USG) ID cards since 1998, this would include:
• UMCP students, faculty and staff at USG
• USG staff
• Undergraduate students enrolled in programs at USG offered by:
-Towson University
-University of Baltimore
-University of Maryland, Baltimore
-UMBC
-University of Maryland Eastern Shore
A special hotline has also been established if you have questions about this incident. You can call 301.405.4440 or email at datasecurity@umd.edu. The University of Maryland, College Park has established a website with FAQs at www.umd.edu/datasecurity.
The University of Maryland, College Park is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.
Please see letter from President Wallace Loh below for specifics on the data breach.
Further communication will be forthcoming as we receive more information.
Sincerely,
Stewart Edelstein
Executive Director, The Universities at Shady Grove
From: President Wallace D. Loh
Subject: UMD Data Breach
February 19, 2014
Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):
Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.
I am truly sorry. Computer and data security are a very high priority of our University.
A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised -- no financial, academic, health, or contact (phone, address) information.
With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi layered, security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.
The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.
University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.
We have established a website with FAQs at www.umd.edu/datasecurity. Any updates will be posted to this site. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu
Universities are a focus in today's global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.
Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.
Sincerely,
Wallace D. Loh
President, University of Maryland