Click here for special video from President Loh.
February 25, 2014
Dear University of Maryland community:
Today marks one week since the date our University suffered a sophisticated cyber-attack. Again, I apologize to each and every one of you for this data breach. I want to update you on what we are doing to protectas best as we possibly canthe personal, research, and financial data you have entrusted to us.
State and federal law enforcement agencies, the U.S. Secret Service, consultants from the MITRE Corporation, and our own campus IT security personnel are working together to find out how the attackers penetrated our multiple layers of security. This forensic analysis will enable us to defend against this type of attack in the future. It will also provide clues as to who were the attackers.
I have ordered an extension of credit protection services from one year to a full five years of coverage. This extended protection will be available at no cost to every person affected by this breach. To register, please call Experian at 1-866-274-3891. If you have already signed-up for the initial one-year protection, you will be automatically upgraded to five years so you do not need to call again. Please note that call volume may be high, and we appreciate your patience. All coverage is retroactive to the date of the breach.
Effective immediately, I am launching a comprehensive, top-to-bottom investigation of all computing and information systems. This includes central systems operated by the University and local systems operated by individual administrative and academic units. This investigation has three missions.
First, we will scan every database to find out where sensitive personal information might be located. Then, we will either purge it or protect it more fully in that database, as appropriate. There are thousands of databases throughout the campus, many created years ago when the environment for cyber threats was different.
Second, we will do penetration tests of the security defenses of our central and local information systems to identify and seal any possible technological gaps through which cyber criminals could get in to search for any information. These probes will be performed on an ongoing basis.
Third, we will review the appropriate balance between centralized (University-operated) versus decentralized (unit-operated) IT systems. There must be policy changes to accompany technical fixes. We understand the needs of individual units to control their own servers and databases. We must also ensure that safeguards at central and local levels are equally robust and tightly coordinated. Our University's entire cybersecurity system is only as strong as its weakest link.
To execute this threefold mission, I am forming the President's Task Force on Cybersecurity. It will be led by Professor Ann Wylie, who formerly held the positions of Provost, Vice President for Administration, and Chief of Staff to the President.
The Task Force will have experts from our campus, including from our Maryland Cybersecurity Center. They will be supported by a leading cybersecurity company with advanced hacking capabilities in order to expose potential vulnerabilities in our systems.
I have charged the Task Force to complete its investigation and submit its recommendations to me within 90 days. It will have the full support of my office and the resources it needs to complete its task. I will take all necessary actions based on the Task Force's recommendations and the results of the forensic analysis now underway.
Professor Wylie will also serve as interim Vice President for Information Technology, effective March 1. Our current vice president, Brian Voss, previously announced his retirement as of March 31. They will work together for a seamless transition. A national search for a permanent Vice President and Chief Information Officer is underway.
There is no impregnable barrier against every fiendishly skillful cyber-attack. Every day, there are thousands of probes of our defenses that we spot and thwart. We are not alone. In the past couple of years, some 20 large universities across the country have also reported major data breaches.
There is an arms race between hackers playing offense and universities playing defense. In 2012, we doubled our IT security staff and doubled our annual investments in cybersecurity. We will continue to make the necessary investments.
In today's digital world, each of us must take reasonable steps to ensure our own information security. Therefore, the University will present a series of identity theft seminars to all our students, faculty, staff, and alumni. The seminarswhich will also be recorded and later made available onlinewill feature experts on how to safeguard your sensitive information. Additional updates will be posted on www.umd.edu/datasecurity.
Because of the actions we are taking, I pledge to you that the University of Maryland will be even stronger, bigger, and better in the unremitting and global fight against cyber-crime.
Wallace D. Loh
President, University of Maryland
Credit Protection extended to five years. Enrolling in credit protection services is now available:
There is a generous amount of time available to register for a free, 5-year membership in Experian's ProtectMyID. Individuals affected by the breach have up until May 31, 2014 to enroll.
There are two ways to activate ProtectMyID credit protection through Experian.
Either way you choose to register for ProtectMyID, you must activate this service by 11:59 pm ET on May 31, 2014.
When registering, you will need to provide Experian with personal information, such as:
Experian asks for personal information such as your social security number so that your identity can be verified during the registration process and future log-ins. This is strictly a security measure to ensure no one else has access to your information.
Police report information:
The police report case number associated with the UMD data breach is 14-7257. A police case number is required sometimes if you are attempting to place a security freeze on your credit file.
Parents of affected students:
Parent data was not part of the breached data set. Therefore parents of current students, and of students that studied between 1998 and present, are not impacted by this breach.
Our credit protection partner, Experian, is experiencing technical difficulties due to high call volume. Operators at Experian will continue be available through 9 PM ET tonight, though volume may continue to be high until the late afternoon. We apologize for this inconvenience and thank all affected students, alumni, faculty and staff for their patience.
The University of Maryland continues to work diligently to investigate the cause of the data breach, safeguard against future threats, and provide accurate updates to those affected as soon as possible.
Please review the actions below, which outline steps you can take to protect yourself. Additional updates from the University are forthcoming. In the meantime, please remember to contact Experian at 1-866-274-3891 starting on Tuesday to verify and enroll in credit protection services.
Attorney General Douglas F. Gansler recently advised all consumers to take some basic steps that could protect their information from being misused, now or in the future. Review the tips here: www.oag.state.md.us/Press/2014/022014.html
Dear members of the campus community:
On Wednesday evening, we announced that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information. Since that time, we have been working around the clock to ensure the breach has been contained and that other data systems are protected.
The breached records included name, Social Security number, date of birth, and University identification number. No financial, academic, health or contact information was accessed.
To help protect your identity, we are offering a free, one-year membership of Experian's® ProtectMyID® Alert. This product helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.
Effective immediately, operators at Experian are standing by at 1-866-274-3891 (Monday-Friday 9:00 am-9:00 pm EST and Saturday-Sunday 11:00 am-8:00 pm EST) to answer general questions or concerns regarding this matter. Starting on Tuesday, February 25 at 9:00 am EST, you can call them directly to determine if your records were compromised and to register for your free year of credit protection. You must activate this service by 11:59 pm EST on May 31, 2014.
Once your ProtectMyID membership is activated, you will receive the following features:
It is recognized that identity theft can happen months and even years after a data breach. To offer added protection, you will receive ExtendCARE™, which provides you with the same high-level of Fraud Resolution support even after your ProtectMyID membership has expired.
Our investigation into the cyber-attack continues, and the University of Maryland Police Department is working with the U.S. Secret Service on this matter. Additionally, we have partnered with MITRE, a leading systems engineering company specializing in cybersecurity, to provide additional forensic analysis on how this attack happened, and how to prevent such attacks in the future.
We understand this breach is causing concern and consternation. Please know that we are doing everything possible to ensure the protection of your personal information as we move forward. If you have any questions, please contact us at email@example.com. Additional updates will be posted to this website: www.umd.edu/datasecurity.
Brian D. Voss
Vice President, Division of Information Technology
February 19, 2014
Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):
Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.
I am truly sorry. Computer and data security are a very high priority of our University.
A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised -- no financial, academic, health, or contact (phone, address) information.
With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.
The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.
University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.
All updates regarding this matter will be posted to this website. Additional information is provided in the FAQs below. If you have any questions or comments, please call our special Experian hotline at 1-866-274-3891 or email us at firstname.lastname@example.org.
Universities are a focus in today's global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.
Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.
Wallace D. Loh
President, University of Maryland