Thursday, February 20, 2014

What the UMD Data Breach Means for Students

This also applies in large part to faculty and staff, as well as anyone whose data has been compromised.

On Wednesday morning the University of Maryland servers were the target of a sophisticated cyber-attack. The breach was not noted for several hours. In that time, over 300,000 records were accessed. The database in question includes anyone who received a University ID (like students/faculty/staff) since 1998. (See for more information on this attack.)

There is good news and bad news for those involved. The bad news is your name, date of birth, and social security number were likely compromised. This opens the door for identity theft, as these records can be used by the hacker or sold to a third party. The typical scenario is financial fraud, where someone opens up one or more credit accounts in your name, then defaults on the debts, damaging your credit and potentially leaving you with a bill for thousands of dollars. Other scenarios besides financial include someone assuming your identity for criminal, immigration, tax, or medical reasons – which may lead to erroneous arrest records or warrants. They may also try to impersonate you on social media.

The good news is only about 2% of people whose data is compromised in a single breach become victims of identity theft, at least that we know of. Also, the University states that address information was not part of the breach – and current students may still be still young enough that their name and address may not be linked in public records. This is a double-edged sword, but it reduces the overall risk. If people act quickly to protect their financial identity after a breach, they can head off most potential problems.

The first step for students and staff is to contact the University IT department at 301-405-4440. They are open 24 hours a day, and they can open a service ticket under your name. This will not only provide you with updates regarding the breach, but also allow you to take advantage of free credit monitoring services.

The next step is to take full advantage of that credit monitoring as soon as its available. There are companies out there that offer to do this for you, and set up alerts if someone accesses your credit, but for a monthly/annual fee. Identity thieves count on your inattentiveness, so don’t leave yourself open. There are three credit bureaus that you need to track –,, and

You can place a 90-day fraud alert on one of them for free, and they are required to notify the other two by law. This is not always 100% effective, but it’s a start. You can also place a credit hold or freeze on your account by providing each bureau with identifying information, and they will provide you with a password. You use this password to authorize release of credit information or to end the freeze at a later time. For younger students, it may be years before you need to use your credit – so don’t forget that password!

Even after your one-year of free credit monitoring runs out, you will still need to review your reports from these three bureaus several times a year. By law, people can obtain a free copy of their credit report once a year from each one. You order a free copy from one, then order a free copy the next one four months after that, and order a copy from the third one four months after that. This way, you get a free copy every four months. Look them over carefully for any unusual activity. This should be easy for younger people with less credit history, as any new accounts will stick out like a sore thumb. Older people with established credit will need to review them more closely.

As more of our personal information is captured and tracked by companies on computer systems, the more vulnerable we are to having it stolen. Even if you’re not part of a breach that you know of, personally identifiable information can be obtained in all sorts of ways, so no one is immune to the threat of identity theft. However by paying attention to our financial and credit information, we can mitigate at least part of the risk.