The names and Social Security numbers of more than 309,000 students and staff from the University of Maryland, dating back to 1998, were stolen in a "sophisticated" security attack that penetrated recently bolstered defenses, the school's president announced late Wednesday.
President Wallace Loh apologized for what was one of the largest single data breaches suffered by a university in the last decade.
The university said it began investigating with law enforcement and private cybersecurity experts within 24 hours of learning of the breach of a specific database. The database contained the name, date of birth, Social Security and university identification number for every person issued university identification for its College Park and Shady Grove campuses since 1998. The university said no other information was compromised.
"With the assistance of experts, we are handling this matter with an abundance of caution and diligence," Loh said in a statement. "Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed."
A year of free credit monitoring is being offered to all affected people, and the university urged those individuals to be wary of scam artists contacting them.
Loh noted that universities remained an attractive target for hackers.
"We recently doubled the number of our IT security engineers and analysts," he said. "We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will."
The public school, ranked among the top 50 in the nation, has about 27,000 undergraduates and 10,000 graduate students.
A breach at UCLA in 2006 affected 800,000 people, and one four years later at Ohio State University had 750,000 victims. Dozens of other schools, including Stanford University, have seen thousands of records compromised.