Hackers breach U. Md. data, get names, DOBs, SSNs

The chief information officer at the University of Maryland said someone hacked into the university’s computer systems at about 4 AM on Feb 18, stealing names, Social Security numbers, dates of birth, and university identification numbers for 309,079 people affiliated with the school on its College Park and Shady Grove campuses, the Washington Post reports.


Students at the U. of Md. in 2012 (Photo: Images/University of Maryland)

Coverage is also provided by the Baltimore Sun, here, and by the Associated Press, here via ABC News. We might link to other coverage as it becomes available.

Update 2/21: In the university’s student newspaper, The Diamondback, Laura Blasey and Mike King wrote, “Because identity theft is possible, officials said the university will offer those affected one free year of credit monitoring from a yet-to-be-determined company.” This doesn’t exactly make me feel warm and fuzzy. Since the possession of more than 300,000 identity-proving data points is worth billions in terms of the amount of credit these thieves can obtain, they could very easily wait two, five, or even 20 years to reap their rewards. One year of “credit monitoring” would only work if the thieves were stupid, which they’re not.

In recent months, we have seen clear instances of four types of security breaches that put volumes of personally identifying information in the hands of people who had no right to see it:

  1. Whistle-blowers: Edward Snowden, self-described heroes who expose flaws in our systems
  2. Criminals: Target’s or the University of Maryland’s hackers who steal information
  3. Incompetent I/T staff: Don’t safeguard data properly (most common breach)
  4. Idiots: Unknowingly and inadvertently expose data

Actually, (3) and (4) kind of go together, but as long as business people and teachers use computers in our schools, there will be business people and teachers in our schools who aren’t keeping up with the latest cybersecurity research. Furthermore, I would probably classify school officials who send personal information from students’ records into the cloud in the last category as well.

And they just keep right on being complete idiots. Maybe we’re idiots as well, though, since we allow schools to store personally identifying information about our children online. It’s convenient for parents to access their sons’ and daughters’ grades 24/7, but there’s a price to be paid.

The latest example of moronic school officials who jeopardize student privacy by putting data online comes from New York State, where school officials will upload volumes of data in July to the cloud data provider, inBloom, here.

Parents have protested loudly, so I feel as though I’m beating a dead horse here, and it’s getting frustrating, which is probably what inBloom is counting on. The database will get the data from New York—damn every torpedo carrying the message of a clear and imminent threat to the security of kindergarten through 12th-grade students, ignore every vehement protest by American citizens about democracy, and discredit every piece of credible evidence that supports the obvious fact that every system, no matter how well it has been sold to our school districts, can be hacked. This one won’t take long. We’ll be giving 8-year-olds new identities before you know it.

On the other coast, legislation has been introduced in California that scrutinizes child privacy in software used by schools. I see a move westward for several New York residents in the near future.

About the Author

Paul Katula
Paul Katula is the executive editor of the Voxitatis Research Foundation, which publishes this blog. For more biographical information, see the About page.