University of Maine police are investigating the breach of two UMaine computer servers holding the names, social security numbers, and clinical information of students who attended the university’s Counseling Center from Aug. 8, 2002 to June 21 of this year.
According to a university press release, data linked to approximately 4,585 students, four to five percent of UMaine students over that time period, was exposed.
Dean of Students Robert Dana said at a Tuesday news conference there was “no indication” that data was viewed or downloaded from the servers, but officials are preparing for a worst-case scenario.
“This is an insidious affront to the rightful privacy expectations of our students,” Dana said. “The criminals who make it their business to exploit our society’s need and ability to store information are beneath contempt. Because of this, we are engaging all possible resources to find the source of these attacks.”
Dana said colleges and universities are “prime targets” for hackers because of large bandwidth and high-speed connections.
Robotic computers, he said, make “literally thousands of attempts per day” on UMaine’s vast computer network, but safeguards, such as firewalls and alert systems, usually hold.
“It’s the Wild West out there and every day a new approach is invented to help control the frontier,” Dana said.
He said the first breach happened as early as March 4. Once the hacker gained access to the second computer, a second server, which carries the active version of the center’s 2002-2010 database, was compromised.
The police investigation started June 16, according to news release, after Counseling Center staff reported trouble accessing files. The UMaine police are working with the U.S. Attorney’s office and computer crimes experts from the U.S. Secret Service.
“In any case like this, identity theft must be a top concern and consequently we are taking strong measures to assist those whose information may have been exposed and to prevent further security intrusions,” Dana said.
The university is now working on a customized letter to each person in the database. The letter will detail how to access services from Debix, a credit-monitoring company hired by the university, according to the press release.
For at least the next year, the company will look for signs of identity theft in each affected person’s credit. They will provide immediate alerts if suspicious activity is detected and offer insurance against identity theft.
The company’s services will be provided by the university at no cost to affected individuals. Dana said the cost to UMaine would be in the “multi-thousands of dollars.”
Det. Sgt. William Flagg from the UMaine police, who is conducting the investigation along with Internet crime expert Officer Bill Mitchell, said the potentially anonymous nature of these crimes makes finding a specific suspect very difficult.
“This is not an investigation that is going to be measured in days or weeks. It will be measured in months,” Flagg said.
In the press release, the university said any student, current or former, who visited the Counseling Center since Aug. 8, 2002 should assume they are affected. Information on the breach and how to receive services is available at http://umaine.edu/informationcenter/.