Who makes the decision about data retention in these cases? Do they plan with breaches in mind? Can anyone who works in that position shed some light on this?
Last spring I received a notice in the mail from a university I had been accepted to four years ago, but did not attend, that my personal information was exposed in a data breach just like this one. The free year of credit monitoring isn't comforting. Why on earth is sensitive information like that kept? The likelihood of people being affected just goes up.
Information Security Operations for a tier-1 university here. If the university is public, which most are, they require SSN documentation to report to the state as technically your taxes helped pay for that school. This is all tied up in politics and documentation for everything really, but that's just how the politics seem to work. They are also required to file their assessment of your fees and tuition to the IRS via a 1098-T form.
Also you are awarded various small hidden grants on your tuition payments if you've a valid SSN as your taxes (or your future taxes) went towards that school's funding.
Having worked in higher ed for a number of years, I'm frankly surprised that this doesn't happen more often. At least, to the level of being reported like this.
Faculties regularly operate independently and have their own ideas about the proper way to secure the information they have access to (which, in some cases, is not at all). As a security representative in the central IT department, I was often tasked with finding, reporting and attempting to work with the various faculties that did not follow posted data access and privacy policies but, almost every time my efforts were superseded by "academic freedom".
I call this the "PhD from MIT Syndrome". A few of them actually think that they know everything about everything no matter their field of study. The are polymaths (in their own minds at least).
Years ago, a physics professor scoffed at me when I cautioned him about storing 64-bit ints in 64-bit doubles. He said, "who is this that speaks to me as though I needed advice?" He could not understand why his program failed sporadically. Must be a bug in the compiler. It certainly wasn't his code.
You know, I once sat in on a discussion between one of the sysadmins on my team and a researcher; that went something like (barely paraphrased, only insofar as my memory is bad) "Did your code run in test? What is test? Do you deploy your code to the test environment before steamrolling a running production instance. No no, why would I ever do that." (after literally cursing out one of our sysadmins for not fixing why his code was no longer running for him.)
Things like this are why I left academia back to industry, unfortunately for how many fantastic opportunities academia has to offer :/
I'm a student at UMD right now, and pretty frustrated to find out about this. IMO, the university should do a lot more than just providing a year's worth of credit monitoring, because once that year is up and people forget/choose not/can't afford to renew, chances are 90% of those records are going to be easy pickings for identity thieves.
300,000 SSN's, names, and DoB's is one helluva haul though. At least no academic records were compromised, god forbid anybody takes a look at my grades before making off with my identity! \s
NSA designated the University of Maryland as a National Center of Academic Excellence in Information Assurance Research. The University of Maryland was also named an Intelligence Community "Center of Academic Excellence" by the Department of Homeland Security. ... MC2 takes a unique approach in educating the future cybersecurity workforce to serve industry and government needs in Maryland and the Washington, DC metropolitan area.
I wonder how they discovered they were hacked, and how they arrived at the 309,079 records number.
What logs are typically 'left behind' for forensics to analyze after the fact? It's not like they have packet captures of all network communications they can analyze, or a list of every SQL query that was run after the attacker found a way to inject...
Something like they found a SQL dump file that shouldn't exist, looked at its creation date, inspected the log files (e.g., web server logs) and found network activity indicating it had been sent somewhere bad. Or they saw some unusual activity when doing a monthly analysis of web log activity, dug into it, and realized the whole DB had been sucked out through a SQL injection exploit. Or...the possibilities are endless.
Since web servers are most reliably logged even on poorly maintained systems, I'm guessing at least part of the attack hinged on that. It's really common to have servers that end up with no disk space because web logs aren't being rotated and archived/pruned properly.
As someone who works for a vendor to higher education, I can say that it highly varies from institution to institution. I've noticed that size and prestige do not seem to be correlated to the level of security they actually have (or pretend to have).
Having gone to UMD for computer science I can say that the DNS servers are not on the main campus. And certainly a completely separate group of people managing them than basic infrastructure of the Registrar. That said, collaboration would probably be a good thing if it does not already happen. But who's to say any system is infallible?
The scary thing about this is that it's happening when network security is no longer a secondary thing to physical security but rather network security is most crucial security out there.
And networks still have an inherent weakness compared to physical sites. Physical sites don't have the problem that once one site is breached, another thousands of miles away can fall almost instantly.
Interlocking networks, id's, passwords, credentials and so-forth create a situation where there isn't really an inside or outside for the enterprising criminal. I can't see any way that this isn't going to get worse and worse for a while.