This also applies in large part to faculty and staff, as well as anyone whose data has been compromised.
On Wednesday morning the University of Maryland servers were the target of a
sophisticated cyber-attack. The breach was not noted for several hours. In that
time, over 300,000 records were accessed. The database in question includes anyone
who received a University ID (like students/faculty/staff) since 1998. (See http://www.umd.edu/datasecurity/
for more information on this attack.)
There is good news and bad
news for those involved. The bad news is your name, date of birth, and social security number were
likely compromised. This opens the door for identity theft, as these records
can be used by the hacker or sold to a third party. The typical scenario is
financial fraud, where someone opens up one or more credit accounts in your
name, then defaults on the debts, damaging your credit and potentially leaving
you with a bill for thousands of dollars. Other scenarios besides financial
include someone assuming your identity for criminal, immigration, tax, or
medical reasons – which may lead to erroneous arrest records or warrants. They
may also try to impersonate you on social media.
The good news is only about
2% of people whose data is compromised in a single breach become victims of
identity theft, at least that we know of. Also, the University states that address information was
not part of the breach – and current students may still be still young enough that their name and
address may not be linked in public records. This is a double-edged sword, but
it reduces the overall risk. If people act quickly to protect their financial
identity after a breach, they can head off most potential problems.
The first step for students and staff is to
contact the University IT department at 301-405-4440. They are open 24 hours a
day, and they can open a service ticket under
your name. This will not only provide you with updates regarding the breach,
but also allow you to take advantage of free credit monitoring services.
The next step is to take
full advantage of that credit monitoring as soon as its available. There are
companies out there that offer to do this for you, and set up alerts if someone
accesses your credit, but for a monthly/annual fee. Identity thieves count on
your inattentiveness, so don’t leave yourself open. There are three credit
bureaus that you need to track – Experian.com, TransUnion.com, and Equifax.com.
You can place a 90-day
fraud alert on one of them for free, and they are required to notify the other
two by law. This is not always 100% effective, but it’s a start. You can also
place a credit hold or freeze on your account by providing each bureau with
identifying information, and they will provide you with a password. You use this
password to authorize release of credit information or to end the freeze at a
later time. For younger students, it may be years before you need to use your
credit – so don’t forget that password!
Even after your one-year of
free credit monitoring runs out, you will still need to review your reports
from these three bureaus several times a year. By law, people can obtain a free
copy of their credit report once a year from each one. You order a free copy
from one, then order a free copy the next one four months after that, and order
a copy from the third one four months after that. This way, you get a free copy
every four months. Look them over carefully for any unusual activity. This
should be easy for younger people with less credit history, as any new accounts will stick out like a sore thumb.
Older people with established credit will need to review them more closely.
As more of our personal
information is captured and tracked by companies on computer systems, the more
vulnerable we are to having it stolen. Even if you’re not part of a breach that
you know of, personally identifiable information can be obtained in all sorts
of ways, so no one is immune to the threat of identity theft. However by paying
attention to our financial and credit information, we can mitigate at least
part of the risk.