Capital News Service video by Nicholas Munson
ANNAPOLIS – University of Maryland President Wallace D. Loh said Friday that while “reasonable measures” will be taken to mitigate last week’s major database breach, it will likely cost the university millions of dollars.
Loh said the credit monitoring provided by the university through Experian could cost up to $20 per person — if all 309,079 people affected by the hack signed up, that could cost the university up to $6.2 million.
He added that acquiring encryption to make university data more secure could cost $20 million to $30 million, and hiring consultants to prevent future attacks could drive costs up even more.
“These costs can be very, very, very high,” Loh said in an interview with Capital News Service before testimony to the Senate Budget and Taxation Committee.
The university’s investigation into the hack, which is being assisted by state agencies, the Secret Service, and other federal agencies, is still ongoing, Loh said.
Some students have reported difficulties acquiring the credit monitoring, running into voicemails or messages saying to call back later. Loh apologized for these difficulties Friday, and said they were a result of the speed at which the program was set up.
While many states do not require universities to report data breaches, those affected by the Maryland breach were notified within 24 hours, according to Loh.
Loh issued a statement on the university’s website on Feb. 19, saying he had been informed of the breach the night before.
Loh said Friday that no cybersecurity solution is foolproof. He said that sophisticated hackers will be able to get through the layers of security, and even encryption could ultimately be “$20 (million to) $30 million down the drain” if someone figures out how to crack it.
Included in the information stolen in the attack was the Social Security numbers of students and faculty dating back to 1998. Loh said that Social Security numbers were often used in lieu of university identification numbers until the late 1990s, but the university held onto Social Security numbers so former students could request information, like transcripts.
“The basic problem is … Social Security was never intended to be used as an identifier,” Loh said.
He said that the linking of American Social Security numbers to financial information stands in stark contrast to national identity numbers in Europe.
In addition, Loh said the Social Security Administration only gives out new numbers in extreme situations. To prevent future hacks of this magnitude, Loh said, the federal government may have to change its policy.
“The federal government has to step in too,” Loh said. “Whatever we do (for cybersecurity at the university) is just a tiny little slice.”
Loh also reiterated that the attack on the University of Maryland was “very sophisticated,” and the university’s systems face thousands of probes looking for vulnerabilities every day.
But Greg Johnson, president of the University of Maryland, College Park chapter of the American Federation of State, County and Municipal Employees, questioned Loh’s assessment of the hackers’ skill level and the university’s willingness to help at Friday’s Senate hearing.
He pointed out what he considered flaws in the credit monitoring service, including mail notification of potential breaches instead of immediate phone alerts and the need to sign a waiver giving up the ability to sue Experian in the event of fraud.
“I understand that this agreement was arrived at in a hurry, but this seems to be a little bit extreme,” Johnson said. “I’d like to have more protection for this data breach which risks 309,000 people’s financial future.”
Craig Newman, secretary of the AFSCME’s College Park chapter, also said that a higher level of protection from Experian that would include phone notifications of fraud would cost consumers up to $1,000 over the five-year period.
“The university makes it look like they’re really trying to help us, and I don’t really buy it,” Newman said in an interview. “Everything financially about me is in jeopardy. I’m not wealthy… I live paycheck to paycheck. But still, if someone were to try to, and successfully steal my identity … the creditors would come after me. The criminal in this scenario is long gone. That leaves me holding the empty money bag.”
The Senate did not discuss any responses to the breach during the hearing.
Consumers do have a course of legal action in the event of fraud, however.
“In terms of the liability, it might be suitable for a class-action (lawsuit),” said Chuck Fax, a Bethesda-based attorney with the law firm Rifkin, Livingston, Levitan & Silver. He added that while it may be difficult to prove the university’s liability, a “potentially astronomical amount of money” could be at stake for the university.
However, Loh said that in the past two years, 20 major public universities, including Ohio State University and the University of California, Los Angeles had been hacked, and none of the lawsuits against them were successful.