By NICHOLAS MUNSON
COLLEGE PARK, Md. (Feb. 26, 2014)—After seven days of waiting, victims of the University of Marylands data breach were hoping to sign up Tuesday for the free credit monitoring provided by the school.
Instead, students and university employees were met with sometimes conflicting information. In addition, for several hours a credit protection hotline recommended by the school was malfunctioning due to high call volumes.
Brett Hall, a junior at the university, made three separate calls to Experian, the credit bureau whose ProtectMyID alert membership was offered by the school to those affected by the cyberattack. On his first two calls, Hall said he was told his information had not been compromised and was therefore not eligible for the free protection.
On his third call, Hall said his name was found on a list and was informed that his information had actually been breached. According to notices from the university, the records breached Feb. 18 included names, Social Security numbers, dates of birth and University identification numbers.
I wouldve been very, very, very upset if I didnt make that third phone call and then something wouldve happened, Hall said.
Hall wasn't the only one. Adjunct instructor Jamie Forzato said she was told her information was not exposed, but it would be another ten days before Experian had a complete list of all the names of people whose information was compromised.
People should know that if they were told they werent breached, that may not be the case in the end, Forzato said.
According to information posted Tuesday on the universitys web site, the compromised database contained 309,079 records of faculty, staff, and students from the College Park and Shady Grove campuses who have been issued a University ID in 1998 and thereafter.
For a while Tuesday morning and afternoon, callers could not get through on the Experian hotline.
The university issued a statement on its website Tuesday stating that Experian was experiencing technical difficulties due to high call volume.
Hall said he tried several times to call the hotline on his mobile phone but had his calls disconnected. When he attempted to call on a landline phone, he said he received an automated message saying that the lines were too busy and to call back at a later time.
University President Wallace D. Loh and university officials did not respond to multiple Capital News Service inquiries made by telephone, email and an in-person visit to his office in the Administration building on campus.
However, Loh did send out a mass email to the University of Maryland community shortly after 4 p.m. Tuesday, detailing the latest updates with the universitys response to the data breach. He also uploaded a video to the universitys YouTube page.
Effective immediately, I am launching a comprehensive, top-to-bottom investigation of all computing and information systems, Loh said in his email.
In his email statement, Loh said a combination of state and federal law enforcement agencies, the U.S. Secret Service, outside consultants and campus IT security personnel would scan every database to find out where sensitive personal information is located, and then purge it or protect it more fully, as appropriate.
Loh pledged the university would also do penetration tests of their security defenses, and review what databases should be operated by the university and which ones should be operated by individual units within the campus.
Loh attributed some of the problems to thousands of databases throughout the campus that were created when the environment for cyber threats was different.
Because of the actions we are taking, I pledge to you that the University of Maryland will be even stronger, bigger and better in the unremitting and global fight against cyber-crime, Loh said in his written statement.
One change that was made Tuesday was to expand the duration of free Experian credit protection services from one year to five, Loh announced.
Those who sign up would receive a free copy of an Experian credit report, surveillance alerts, daily credit monitoring and identity theft resolution.
But some students on campus still werent sold on the safety of their personal information.
Intuition tells me that if youre a criminal and youre good enough to steal information from the university, youre not going to go ahead right away and use that information, said freshman student Isaac Zhodzishsky. Youre going to wait a bit so it doesnt seem suspicious...credit checks, I personally feel, means nothing.
Another first-year student, Geneva Kropper, said she didnt even get the e-mail explaining how to register for Experians free credit monitoring.
I would really like if it I could get some information, some reassurances that theyre doing something besides just monitoring my credit - because I can monitor my credit too. Id like them to be taking some proactive steps, she said.