Higher Ed Hack Means Crisis Management for UMD

Cyber criminals hit University of Maryland

Despite a recent doubling in IT security staff, personal data including names, Social Security numbers, dates of birth and university ID numbers belonging to nearly 310,000 individuals was stolen from the University of Maryland’s computer systems.

In response, University President Wallace Loh (and, you can bet, his crisis management team) put out a clear and concise letter explaining the situation:

February 19, 2014

Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):

Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.

I am truly sorry. Computer and data security are a very high priority of our University.

A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.

With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.

The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.

University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.

All updates regarding this matter will be posted to this website. Additional information is provided in the FAQs below. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu.

Universities are a focus in today’s global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.

Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.

Sincerely,

Wallace D. Loh
President, University of Maryland

Even better, the university included a F.A.Q. section right below the page hosting the letter, a step that’s likely to reduce the volume of calls and emails officials will be wading through over the next few days.

We’ve been hammering this point in blogs, and it’s certainly worth repeating here – the question is no longer if you’ll face a hack-related crisis, but when. Include the possibility in your crisis management planning, and make sure to practice, because you WILL putting it to use.

——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-

[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also editor of its newsletter, Crisis Manager]