14 DAY TRIAL // The University of Maryland continues to investigate the cyberattack in which the personal information of over 309,000 individuals – including staff, faculty, affiliated personnel and students – has been compromised.
In a second statement published on the university’s website, University of Maryland President Wallace D. Loh has revealed that state and federal law enforcement, the Secret Service, MITRE Corporation consultants and the organization’s own IT security team are investigating the data breach.
The educational institution is hoping that it can identify the vulnerabilities that allowed the cybercriminals to penetrate its networks. The information they collect will also provide important clues to identifying the attackers.
Considering the extent of the breach, the university has decided to extend the credit protection services offered to impacted individuals from one year to five years. Those who have already signed up for the service with Experian will automatically be upgraded to five-year protection without having to call the company again.
Loh says the call volume is probably high, so it might take some time until all of the affected people sign up for the credit protection services. However, he highlights the fact that coverage is retroactive to the date of the breach. The service can be activated until May 31, 2014.
“Effective immediately, I am launching a comprehensive, top-to-bottom investigation of all computing and information systems. This includes central systems operated by the University and local systems operated by individual administrative and academic units,” the university’s president noted.
A special cyber security task force is being formed to coordinate the investigation. The new task force will be led by Professor Ann Wylie, who will also serve as interim vice president of information technology starting with March 1.
Three main aspects will be investigated. First, the university will scan all databases to determine which of them store sensitive information. Apparently, there are thousands of them, many of which were created a long time ago, when cyberattacks didn’t represent such a great concern.
The databases that contain sensitive information will be either protected properly or they will be purged.
From now on, periodic penetration testing will be conducted to identify any holes that cybercriminals could leverage.
Loh says the university is aware that its cybersecurity system is “only as strong as its weakest link,” which is why policy changes will be implemented to create a balance between the IT systems operated by the university and the ones operated by individual units.