COLLEGE PARK – After seven days of waiting, victims of the University of Maryland’s data breach were hoping to sign up Tuesday for the free credit monitoring provided by the school.
Instead, students and university employees were met with sometimes conflicting information. In addition, for several hours a credit protection hotline recommended by the school was malfunctioning due to high call volumes.
Brett Hall, a junior at the university, made three separate calls to Experian, the credit bureau whose ProtectMyID alert membership was offered by the school to those affected by the cyberattack. On his first two calls, Hall said he was told his information had not been compromised and was therefore not eligible for the free protection.
On his third call, Hall said his name was found on a list and was informed that his information had actually been breached. According to notices from the university, the records breached Feb. 18 included names, Social Security numbers, dates of birth and University identification numbers.
“I would’ve been very, very, very upset if I didn’t make that third phone call and then something would’ve happened,” Hall said.
Hall wasn’t the only one. Adjunct instructor Jamie Forzato said she was told her information was not exposed, but it would be another ten days before Experian had a complete list of all the names of people whose information was compromised.
“People should know that if they were told they weren’t breached, that may not be the case in the end,” Forzato said.
According to information posted Tuesday on the university’s web site, the compromised database contained 309,079 records of faculty, staff, and students from the College Park and Shady Grove campuses who have been issued a University ID in 1998 and thereafter.
For a while Tuesday morning and afternoon, callers could not get through on the Experian hotline.
The university issued a statement on its website Tuesday stating that Experian was “experiencing technical difficulties due to high call volume.”
Hall said he tried several times to call the hotline on his mobile phone but had his calls disconnected. When he attempted to call on a landline phone, he said he received an automated message saying that the lines were too busy and to call back at a later time.
University President Wallace D. Loh and university officials did not respond to multiple Capital News Service inquiries made by telephone, email and an in-person visit to his office in the Administration building on campus.
However, Loh did send out a mass email to the “University of Maryland community” shortly after 4 p.m. Tuesday, detailing the latest updates with the university’s response to the data breach. He also uploaded a video to the university’s YouTube page.
“Effective immediately, I am launching a comprehensive, top-to-bottom investigation of all computing and information systems,” Loh said in his email.
In his email statement, Loh said a combination of state and federal law enforcement agencies, the U.S. Secret Service, outside consultants and campus IT security personnel would scan every database to find out where sensitive personal information is located, and then purge it or protect it more fully, as appropriate.
Loh pledged the university would also do “penetration tests” of their security defenses, and review what databases should be operated by the university and which ones should be operated by individual units within the campus.
Loh attributed some of the problems to thousands of databases throughout the campus that were created when “the environment for cyber threats was different.”
“Because of the actions we are taking, I pledge to you that the University of Maryland will be even stronger, bigger and better in the unremitting and global fight against cyber-crime,” Loh said in his written statement.
One change that was made Tuesday was to expand the duration of free Experian credit protection services from one year to five, Loh announced.
Those who sign up would receive a free copy of an Experian credit report, surveillance alerts, daily credit monitoring and identity theft resolution.
But some students on campus still weren’t sold on the safety of their personal information.
“Intuition tells me that if you’re a criminal and you’re good enough to steal information from the university, you’re not going to go ahead right away and use that information,” said freshman student Isaac Zhodzishsky. “You’re going to wait a bit so it doesn’t seem suspicious…credit checks, I personally feel, means nothing.”
Another first-year student, Geneva Kropper, said she didn’t even get the e-mail explaining how to register for Experian’s free credit monitoring.
“I would really like if it I could get some information, some reassurances that they’re doing something besides just monitoring my credit – because I can monitor my credit too. I’d like them to be taking some proactive steps,” she said.