While I was an undergrad there, there was an incident with social security numbers being revealed on parking mailers that were sent out (http://marylandrha.blogspot.com/2008/07/social-security-numb...)
At the time I was wondering why the heck do people sending out parking mailers have access to my SSN?
After seeing this article I'm again wondering why the heck does the university retain SSN for alumni?
edit: the reason I mention this is because I think having reasonable data policies in place can help mitigate the severity of such events
Last spring I received a notice in the mail from a university I had been accepted to four years ago, but did not attend, that my personal information was exposed in a data breach just like this one. The free year of credit monitoring isn't comforting. Why on earth is sensitive information like that kept? The likelihood of people being affected just goes up.
The general consensus is that there's no point removing data - since disk space is basically free ($0.05/GB)  and hey, we might need it later on.
Also you are awarded various small hidden grants on your tuition payments if you've a valid SSN as your taxes (or your future taxes) went towards that school's funding.
Faculties regularly operate independently and have their own ideas about the proper way to secure the information they have access to (which, in some cases, is not at all). As a security representative in the central IT department, I was often tasked with finding, reporting and attempting to work with the various faculties that did not follow posted data access and privacy policies but, almost every time my efforts were superseded by "academic freedom".
Incredibly frustrating experience.
Years ago, a physics professor scoffed at me when I cautioned him about storing 64-bit ints in 64-bit doubles. He said, "who is this that speaks to me as though I needed advice?" He could not understand why his program failed sporadically. Must be a bug in the compiler. It certainly wasn't his code.
Things like this are why I left academia back to industry, unfortunately for how many fantastic opportunities academia has to offer :/
And networks still have an inherent weakness compared to physical sites. Physical sites don't have the problem that once one site is breached, another thousands of miles away can fall almost instantly.
Interlocking networks, id's, passwords, credentials and so-forth create a situation where there isn't really an inside or outside for the enterprising criminal. I can't see any way that this isn't going to get worse and worse for a while.
300,000 SSN's, names, and DoB's is one helluva haul though. At least no academic records were compromised, god forbid anybody takes a look at my grades before making off with my identity! \s
NSA designated the University of Maryland as a National Center of Academic Excellence in Information Assurance Research. The University of Maryland was also named an Intelligence Community "Center of Academic Excellence" by the Department of Homeland Security. ... MC2 takes a unique approach in educating the future cybersecurity workforce to serve industry and government needs in Maryland and the Washington, DC metropolitan area.
What logs are typically 'left behind' for forensics to analyze after the fact? It's not like they have packet captures of all network communications they can analyze, or a list of every SQL query that was run after the attacker found a way to inject...
Since web servers are most reliably logged even on poorly maintained systems, I'm guessing at least part of the attack hinged on that. It's really common to have servers that end up with no disk space because web logs aren't being rotated and archived/pruned properly.
Is there anyone that has worked in higher ed IT who believes this?
I know of small universities that demand an independent audit of all vendor code, to the large universities that are ok with having a four-character password for database access.
It also seems that Canadian universities are far more serious about security than American counteparts.