In 2006, a network security audit blasted the university's Office of Information Technology and identified seven pressing findings — six of which had remained unaddressed from a previous audit — in matters that could affect the privacy of sensitive student information such as social security numbers.
In 2008, hundreds of students opted to sign up for free Equifax credit-monitoring service provided by the university after the Department of Transportation Services accidentally released the Social Security numbers of about 24,000 students.
Fast-forward a few years and it's deja vu — except this time the University System of Maryland is in trouble.
A recent report issued by the Maryland General Assembly's Office of Legislative Audits found that data from more than 8,000 system applicants — including sensitive information such as social security numbers and credit card numbers — was stored in unencrypted plain text files on a publicly-accessible server between Feb. 2008 and March 2011.
If this wasn't bad enough, the office had previously discovered about 53,000 Social Securitynumbers and 21,000 credit card numbers being stored in a similarly unencrypted manner from 2005 to 2008.
Ignoring established policies when storing personally identifiable information is never good when it happens once. But failing two consecutive audits — what gives?
According to system spokesman Mike Lurie, the university system took about two years to move all of the sensitive data to an internal server. But Michael Hicks, a computer science professor and director of the university's Maryland Cybersecurity Center, thinks two years should be enough to move about 8 million records — not 8,000. "To me, it sounds like a job that should take substantially less than two years," he said.
This editorial board isn't composed of any cybersecurity experts but, given his credentials, we're willing to bet Hicks is right. We're also concerned by the system's seemingly nonchalant approach to protecting information that can lead to identity theft.
The university system must do more to protect personal data.
Auditors shouldn't have to tell the system to follow its own "USM Guidelines in Response to the State's IT Security Policy," or "ensure the servers' operating system software includes all of the latest security updates and patches" because it hasn't been updated since April 2009. Nor should users be able to log into the Maryland Research and Education Network — which handles Internet access and USM institutions' online library systems — without a password. Auditors especially shouldn't have to report that three findings from 2009 haven't been addressed.
Officials stress that no information was ever stolen in the latest incident — so WikiLeaks this isn't — but it only takes one security breach to put thousands of students' identities at risk. If that happens, the nearly $15,000 DOTS spent on Equifax reports in 2008 could be peanuts compared to losses from student bank accounts.
It's bad enough for some of these rejected students to not get into a school. But then to find out later their personal information was stored — regardless of their rejection — and then stored without any protection? If it was Lurie's information at risk, you can bet he would make damn sure it had been protected right away. Let's hope system officials heed the auditors' advice this time and take steps to ensure private information remains private. Time to step up, guys.
is a member of the 
Be the first to comment on this article! Log in to Comment
You must be logged in to comment on an article. Not already a member? Register now