Hacker News new | comments | show | ask | jobs | submit login
University of Maryland Data Breach (umd.edu)
61 points by mahmoudimus 1367 days ago | hide | past | web | 25 comments | favorite

As an alum of UMD I'm really annoyed by this whole situation.

While I was an undergrad there, there was an incident with social security numbers being revealed on parking mailers that were sent out (http://marylandrha.blogspot.com/2008/07/social-security-numb...)

At the time I was wondering why the heck do people sending out parking mailers have access to my SSN?

After seeing this article I'm again wondering why the heck does the university retain SSN for alumni?

edit: the reason I mention this is because I think having reasonable data policies in place can help mitigate the severity of such events

Who makes the decision about data retention in these cases? Do they plan with breaches in mind? Can anyone who works in that position shed some light on this?

Last spring I received a notice in the mail from a university I had been accepted to four years ago, but did not attend, that my personal information was exposed in a data breach just like this one. The free year of credit monitoring isn't comforting. Why on earth is sensitive information like that kept? The likelihood of people being affected just goes up.

Oh that's nothing. At Penn State, Social Security Numbers were your student ID numbers. I think this has been changed. I hope, anyway.

Same goes for my alma mater. They changed it in 2007 or so and it was a GIGANTIC pain in the ass. Of course it's worth it to not have your photo, full name, and SSN on your student ID card.

Massachusetts driver's license numbers used to be SSNs, they changed that about 7 or 8 years ago.

Indeed. This is one of the big problems with today's "save-all-the-data" mentality.

The general consensus is that there's no point removing data - since disk space is basically free ($0.05/GB) [1] and hey, we might need it later on.

[1] http://www.statisticbrain.com/average-cost-of-hard-drive-sto...

Why would a university ask for an SSN? What use would a university make of the ssn?

Information Security Operations for a tier-1 university here. If the university is public, which most are, they require SSN documentation to report to the state as technically your taxes helped pay for that school. This is all tied up in politics and documentation for everything really, but that's just how the politics seem to work. They are also required to file their assessment of your fees and tuition to the IRS via a 1098-T form.

Also you are awarded various small hidden grants on your tuition payments if you've a valid SSN as your taxes (or your future taxes) went towards that school's funding.

Having worked in higher ed for a number of years, I'm frankly surprised that this doesn't happen more often. At least, to the level of being reported like this.

Faculties regularly operate independently and have their own ideas about the proper way to secure the information they have access to (which, in some cases, is not at all). As a security representative in the central IT department, I was often tasked with finding, reporting and attempting to work with the various faculties that did not follow posted data access and privacy policies but, almost every time my efforts were superseded by "academic freedom".

Incredibly frustrating experience.

I call this the "PhD from MIT Syndrome". A few of them actually think that they know everything about everything no matter their field of study. The are polymaths (in their own minds at least).

Years ago, a physics professor scoffed at me when I cautioned him about storing 64-bit ints in 64-bit doubles. He said, "who is this that speaks to me as though I needed advice?" He could not understand why his program failed sporadically. Must be a bug in the compiler. It certainly wasn't his code.

You know, I once sat in on a discussion between one of the sysadmins on my team and a researcher; that went something like (barely paraphrased, only insofar as my memory is bad) "Did your code run in test? What is test? Do you deploy your code to the test environment before steamrolling a running production instance. No no, why would I ever do that." (after literally cursing out one of our sysadmins for not fixing why his code was no longer running for him.)

Things like this are why I left academia back to industry, unfortunately for how many fantastic opportunities academia has to offer :/

It probably does happen with great frequency; it's just that the perpetrators aren't caught!

Sounds like a strategic place to breach for identity theft purposes. Lots of military and other folks get degrees from there.

The scary thing about this is that it's happening when network security is no longer a secondary thing to physical security but rather network security is most crucial security out there.

And networks still have an inherent weakness compared to physical sites. Physical sites don't have the problem that once one site is breached, another thousands of miles away can fall almost instantly.

Interlocking networks, id's, passwords, credentials and so-forth create a situation where there isn't really an inside or outside for the enterprising criminal. I can't see any way that this isn't going to get worse and worse for a while.

I'm a student at UMD right now, and pretty frustrated to find out about this. IMO, the university should do a lot more than just providing a year's worth of credit monitoring, because once that year is up and people forget/choose not/can't afford to renew, chances are 90% of those records are going to be easy pickings for identity thieves.

300,000 SSN's, names, and DoB's is one helluva haul though. At least no academic records were compromised, god forbid anybody takes a look at my grades before making off with my identity! \s

The blind leading the blind:

NSA designated the University of Maryland as a National Center of Academic Excellence in Information Assurance Research. The University of Maryland was also named an Intelligence Community "Center of Academic Excellence" by the Department of Homeland Security. ... MC2 takes a unique approach in educating the future cybersecurity workforce to serve industry and government needs in Maryland and the Washington, DC metropolitan area.


The university IT is a separate entity from the comp sci dept at umd

I wonder how they discovered they were hacked, and how they arrived at the 309,079 records number.

What logs are typically 'left behind' for forensics to analyze after the fact? It's not like they have packet captures of all network communications they can analyze, or a list of every SQL query that was run after the attacker found a way to inject...

Something like they found a SQL dump file that shouldn't exist, looked at its creation date, inspected the log files (e.g., web server logs) and found network activity indicating it had been sent somewhere bad. Or they saw some unusual activity when doing a monthly analysis of web log activity, dug into it, and realized the whole DB had been sucked out through a SQL injection exploit. Or...the possibilities are endless.

Since web servers are most reliably logged even on poorly maintained systems, I'm guessing at least part of the attack hinged on that. It's really common to have servers that end up with no disk space because web logs aren't being rotated and archived/pruned properly.

> our sophisticated, multi-layered security defenses

Is there anyone that has worked in higher ed IT who believes this?

As someone who works for a vendor to higher education, I can say that it highly varies from institution to institution. I've noticed that size and prestige do not seem to be correlated to the level of security they actually have (or pretend to have).

I concur, as someone who also works for a vendor to higher ed.

I know of small universities that demand an independent audit of all vendor code, to the large universities that are ok with having a four-character password for database access.

It also seems that Canadian universities are far more serious about security than American counteparts.

You'd think the operators of one of the root DNS servers[1] would also have the security to prevent this sort of breach.

[1] http://d.root-servers.org/

Having gone to UMD for computer science I can say that the DNS servers are not on the main campus. And certainly a completely separate group of people managing them than basic infrastructure of the Registrar. That said, collaboration would probably be a good thing if it does not already happen. But who's to say any system is infallible?

My alma mater. Fortunately, since I dropped out in 1982, I don't have to worry about this breach :-)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact