Hackers have compromised two University of Maine servers, hosting personal and clinical information of 4,585 students who received counseling services in the last eight years. The university plans to offer all affected individuals at least twelve months of credit monitoring services.

The first server was breached at the beginning of March, the intruders using the newly gained access to compromise the second one shortly thereafter. The methods employed to carry out the attacks successfully have not been disclosed due to an ongoing investigation led by the University of Maine police department.

The two computers serviced the University's counseling center and hosted a database of students who received services there since 2002 to date – 4,585 in total. The data stored on the servers includes personally identifiable information (PII) such as names and social security numbers, as well as clinical information.

"The high-level safeguards we have in place routinely thwart these attempts, but they were not adequate in this case. This is a serious breach, and we are profoundly sorry that this has happened," commented the UMaine Vice President for Student Affairs and Dean of Students Robert Dana. "There is no indication that data were viewed, compromised or downloaded from either of these servers, but we are operating according to a worst-case scenario," he added.

In this respect, the University is offering affected individuals for at least twelve months of free credit monitoring services through a company called Debix. Each person in the database will receive a notification letter regarding the incident.

An internal review of security policies and other procedures will be conducted and outside forensic investigators have been hired to provide technical expertise. The U.S. Attorney’s office and computer crimes experts from the U.S. Secret Service are also assisting the police investigation.

UMaine is not the first university to expose the sensitive data of thousands of people. For example, in November 2009, a University of North Carolina School of Medicine server hosting the personal information and mammography data of 163,000 women was similarly compromised by hackers.

The University of California, Berkeley also dealt with a data breach incident, which involved personal and medical information of 160,000 students and their family members. All of these incidents beg the same simple question: why is such sensitive data being stored on Internet facing servers?