Facebook Icon Youtube Icon Twitter Icon Flickr Icon Vimeo Icon RSS Icon Itunes Icon Pinterest Icon Coursera Icon

Letter from Ann G. Wylie (3/20/14)
En Español

March 20, 2014

Dear Vice Presidents, Deans, Directors and Department Chairs:

The University of Maryland learned of a cyber-intrusion into its network on the morning of Saturday, March 15, 2014. Within 36 hours, the FBI, U.S. Secret Service, and the University's Police Department, working with University's IT security staff, successfully mitigated the intrusion. We thank these organizations for their expeditious and effective actions.

The FBI has informed the University that the intrusion resulted in no public release of any information and no damage to the institution, except for the release of personal data of one senior University official, who has been notified. We are unable to comment further on the intrusion at this time. This matter is unrelated to the data breach of February 18, 2014.

As the investigation proceeded over the weekend, the University took the precautionary step of moving a number of University websites offline. These sites are in the process of being transferred to a different web hosting environment to provide additional levels of security. This strategy was already in place prior to the intrusion, and the move will be completed shortly.

The fight against cyber-attacks requires unrelenting effort. The President's Task Force on Cybersecurity formed a few weeks ago is actively working in these areas:

  • Evaluating cybersecurity consulting firms that can assist in strengthening our intrusion prevention and conducting penetration testing.

  • Identifying sensitive information in university databases to determine whether they are needed and how to better isolate them. All sensitive records in the breached database that are no longer required have been removed.

  • Examining national cybersecurity policies, procedures and best practices to establish an appropriate balance between centralized security and broad access on University networks.

Concurrently, the University IT staff with the support of outside consultants are working almost non-stop to better protect the vast information systems in our networks that are accessible to students, faculty, staff, and others. In the past month, they have:

  • Closed the pathways utilized in the February 18, 2014 breach and the recent intrusion.

  • Changed passwords for all databases and applications.

  • Conducted an initial audit to detect vulnerabilities in individual websites within web hosting environments.

  • Accelerated plans to migrate web hosting to a more secure environment.

In the coming days and weeks, we will announce additional security measures. The University is investing the financial and personnel resources required to better protect the personal, financial, academic, and research information of all members of the University community.

Sincerely,

Ann G. Wylie
Chair, President's Task Force on Cybersecurity
Interim Vice President and Chief Information Officer

Letter from Ann G. Wylie (3/12/14)
En Español


Dear University of Maryland community:

The data breach of February 18 has served as an urgent reminder that the protection and stewardship of our information and data systems is an issue that affects every one of us here at the University of Maryland. As the criminal investigation into the cyber-attack continues under the direction of the U.S. Secret Service, I wanted to update you on several new developments:

  • The breach is smaller than originally announced. After a careful analysis of the accessed database, we have determined that 21,499 records contained incomplete or inaccurate data. The breached records total 287,580

  • As of yesterday, 29,757 persons affected by the breach have registered for credit protection services. We are encouraged by this number as it is well ahead of projections (based on previous data breaches nationwide). The University urges everyone affected to sign up for the 5 years of protection.

  • 78% of the records in the affected database have now been permanently purged (a total of 225,023 records). A comprehensive review of all personal information across all databases is already underway.

  • During the purging process, IT staff identified 56,048 records that had been pre-loaded into the database when it was created in 1998. This file included information for students who attended UMD between 1992 and 1998. These records had already been accounted for in the total count and all affected persons have either been contacted via phone or email, or will receive an official letter within the next several days.

  • A series of identity theft and credit protection seminars will be offered this semester featuring Jeff Karberg from the Maryland Attorney General's Identity Theft Unit. The dates are April 17, April 21, and April 24, all at Stamp Student Union. Additional details will be announced separately, and we encourage all faculty, staff, students and alumni to attend. The sessions will be recorded and available online following the event date.


The first meeting of the President's Task Force on Cybersecurity will take place this evening, Wednesday, March 12. President Loh's charge to this 18-member body includes three primary focus areas:

  1. Conduct a scan of every database to find out where sensitive personal information might be located. Then the task force members will recommend the appropriate course of action: purge the data, or ensure its protection;

  2. Perform penetration tests of the security defenses of our central and local information systems to identify and seal any possible technological gaps through which cyber criminals could gain access. Further, recommend policies and procedures to establish these probes on an ongoing basis;

  3. Review the appropriate balance between centralized (University-operated) and decentralized (unit-operated) information technology systems. Consider existing policies and recommend changes or additions as necessary to accompany technical solutions.


The Task Force, whose membership is listed below, includes experts from our campus, including from our Maryland Cybersecurity Center. It also includes students, for their perspective is unique and essential. The Task Force will be supported by a leading cybersecurity company with a specialty in advanced hacking in order to expose potential vulnerabilities in our systems.

President Loh has asked that the Task Force perform our work urgently and thoroughly. Our final report, complete with recommendations that address the three charges outlined above, will be presented to President Loh by June 12, 2014. The full report will be made public.

The complexities and issues underlying the structure of our campus-wide information systems are significant. The scope and importance of work is paramount. Since the attack on UMD, several other universities have reported breaches of their own, affirming the case that there is perhaps no more compelling issue today than the sanctity of our financial, academic, personal, and research data.

I thank the Task Force members in advance for the hard work ahead. To the Maryland community, I thank you again for your patience as we work together on this important issue. We invite your continued input into this issue at datasecurity@umd.edu. All updates regarding the breach can be found at www.umd.edu/datasecurity.

Sincerely,
Ann G. Wylie
Interim Vice President and Chief Information Officer
Division of Information Technology
President's Task Force on Cybersecurity

 

Revised FAQs (3/24/14)

  • Who was affected by the data breach?
    —The breached database contained 287,580 records of faculty, staff, students and affiliated personnel from College Park and Shady Grove campuses. (The breach is smaller than originally announced. After a careful analysis of the accessed database, we have determined that 21,499 records contained incomplete or inaccurate data.) Specifically, the breach includes:

    • All current faculty, staff and students;
    • All faculty, staff and students who were in possession of a University ID anytime between 1998 and present; and
    • During the purging process, IT staff identified 56,048 records that had been pre-loaded into the database when it was created in 1998. This file included information for students who attended UMD between 1992 and 1998.

    All affected persons have either been contacted via phone or email, or will receive an official letter of notification.

  • What can I do to protect myself?
    —To help protect your identity, we are offering a free, five-year membership of Experian's® ProtectMyID® Alert. This product helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.

  • How can I activate my credit protection through Experian?
    —There is a generous amount of time available to register for a free, 5-year membership in Experian's ProtectMyID. Individuals affected by the breach have up until May 31, 2014.

    There are two ways to activate ProtectMyID credit protection through Experian.
    1. We encourage you to enroll online. It is simple, convenient and available 24/7. By mid-March, all individuals affected by the breach will receive a letter of notification in the mail. An activation code will be included in that letter. The letter will provide instructions for how to register online for ProtectMyID.

    2. You can call Experian directly at 1-866-274-3891 (Monday-Friday 9:00 am-9:00 pm ET and Saturday-Sunday 11:00 am-8:00 pm ET). You may experience delays due to call volume. We recommend enrolling online as the easiest, quickest and most convenient method.

    Either way you choose to register for ProtectMyID, you must activate this service by 11:59 pm ET on May 31, 2014.

  • I've moved since my affiliation with the university ended. How can I update the address where my notification letter will be sent?
    —It is not necessary to send a change of address if you have any open credit accounts. Your new address is automatically updated with Experian after notifying your lenders that you've moved.

  • How will I know if the letter of notification I receive is official?
    —The letters of notification will be on University of Maryland letterhead and are signed by Ann G. Wylie, Interim Vice President and Chief Information Officer.

  • Does the Experian ProtectMyID credit protection start on the date I enroll or am I covered from the date of the breach?
    —Enrollment in ProtectMyID will remain open until May 31, 2014. Once enrolled, a member may review his/her credit report and, if there is concern that certain information reflected in the report may be the result of fraud, the ProtectMyID® membership provides access to a fraud resolution specialist who assists with the situation until it is resolved.
    This applies to all information in the credit report, extending back as far as the credit report reflects. Specifically, any fraud that occurs as a result of the UMD data breach is eligible for protection services.

  • What information will I need to provide to Experian to activate the service?
    —When registering, you will need to provide Experian with personal information such as:
    • Name
    • Date of Birth
    • Social Security Number

    Experian asks for personal information — such as your social security number — so that your identity can be verified during the registration process and future log-ins. This is strictly a security measure to ensure no one else has access to your information.

  • What kind of data was accessed?
    —The records included name, Social Security number, date of birth, and University identification number. No financial, academic, contact, or health information was compromised.

  • Is there a police report case number associated with the breach?
    —The police report case number associated with the UMD data breach is 14-7257. A police case number is required sometimes if you are attempting to place a security freeze on your credit file.

  • Were parents of affected students impacted by the data breach?
    —Parent data was not part of the breached data set.

  • What protection is available to me if I have no credit history?
    —The university is offering protection for those with no credit history through Experian's DataPatrol product. DataPatrol monitors the web, social networks and public databases on your behalf to detect the unauthorized use of personal and financial information you provide. If DataPatrol detects personal information possibly at risk — matching what has been provided — you will be alerted by email.

    To enroll in DataPatrol, individuals should contact Experian for assistance with enrollment beginning on Monday, March 17 through May 31 at 1-866-274-3891.

  • What protection is available for minors under the age of 18?
    —The university is offering protection for minors under the age of 18 through Experian's Family Secure product.

    Through Family Secure, Experian will regularly monitor information about the minor. This includes the minor's credit file (if a credit history exists) or a minor's personal information to see if any credit, loan, or similar account is opened in the child's name. If new activity is created, the parent or legal guardian will be alerted. Experian will detect new activity based on the minor's SSN, date of birth, name, address, or any combination thereof.

    These are the steps you need to take to ensure protection for minors under 18:
    1. A letter will be mailed to qualifying individuals (those under 18 years of age) with a Family Secure activation code and instructions on how to enroll. Only one parent or legal guardian may enroll a minor.
    2. As the minor reaches his/her 18th birthday, you will receive an email notifying you that the Family Secure membership is expiring.
    3. After the individual turns 18, please have him/her contact Experian to be qualified for either ProtectMyID or Data Patrol to fulfill the remaining time on the original 5-year membership provided by the university. The individual must call within 30 days after turning 18 to receive the new product.
    Eligibility of enrollment in ProtectMyID or Data Patrol will be determined by whether the individual has a credit file sufficient enough to enable Experian credit monitoring or not.

  • Were University of Maryland University College (UMUC) students affected?
    —It has been determined that University of Maryland University College (UMUC) students, faculty and staff were not affected by the data breach.

  • Have Fall 2014 applicants' data been affected?
    —No, students who applied to the University of Maryland for Fall 2014 have not been affected.

  • I am deaf or hard of hearing. How do I contact Experian and enroll in ProtectMyID?
    —We encourage you to enroll online. It is simple, convenient and available 24/7. By mid-March, all individuals affected by the breach will receive a letter of notification in the mail. An activation code will be included in that letter. The letter will provide instructions on how to register online for ProtectMyID.

    You may also call Experian using a Text Telephone (TTY). The hotline number is 1-866-274-3891 (Monday-Friday 9:00 am-9:00 pm ET and Saturday-Sunday 11:00 am-8:00 pm ET).

    Either way you choose to register for ProtectMyID, you must activate this service by 11:59 pm ET on May 31, 2014.

  • How can I reach Experian if I am outside the country?
    —Individuals outside the U.S. can dial 1-479-573-7373.

  • How did it occur?
    —The cause of the security breach is currently under investigation by the University of Maryland Police Department, the U.S. Secret Service and federal law enforcement authorities, as well as forensic computer investigators.

  • How is the university responding?
    —Within 24 hours, the University formed an investigative task force that includes law enforcement, IT leadership, and computer forensic investigators. We are making every effort to notify the campus community and those who were previously affiliated with the university as students, faculty or staff.

    We are also partnering with MITRE, a leading systems engineering company specializing in cybersecurity, to provide additional forensic analysis on how this attack happened and how to prevent such attacks in the future.

    In addition, the University is offering five years of free credit monitoring to all who were affected.

  • For security reasons, do current students, faculty and staff need to be issued new University IDs?
    —No, there has been no breach in any of our other data systems that indicate new University IDs should be issued.

  • ¿Cómo se está transmitiendo esta información a la comunidad que habla español?
    —La versión en español de la carta del Rector Loh se puede encontrar aquí www.umd.edu/datasecurity/datos/



 

UMD Data Breach: Update #6 2/25/14
En Español

A Message from the President: UMD Data Breach Update



Click here for special video from President Loh.

February 25, 2014

Dear University of Maryland community:

Today marks one week since the date our University suffered a sophisticated cyber-attack. Again, I apologize to each and every one of you for this data breach. I want to update you on what we are doing to protect—as best as we possibly can—the personal, research, and financial data you have entrusted to us.

State and federal law enforcement agencies, the U.S. Secret Service, consultants from the MITRE Corporation, and our own campus IT security personnel are working together to find out how the attackers penetrated our multiple layers of security. This forensic analysis will enable us to defend against this type of attack in the future. It will also provide clues as to who were the attackers.

I have ordered an extension of credit protection services from one year to a full five years of coverage. This extended protection will be available at no cost to every person affected by this breach. To register, please call Experian at 1-866-274-3891. If you have already signed-up for the initial one-year protection, you will be automatically upgraded to five years so you do not need to call again. Please note that call volume may be high, and we appreciate your patience. All coverage is retroactive to the date of the breach.

Effective immediately, I am launching a comprehensive, top-to-bottom investigation of all computing and information systems. This includes central systems operated by the University and local systems operated by individual administrative and academic units. This investigation has three missions.

First, we will scan every database to find out where sensitive personal information might be located. Then, we will either purge it or protect it more fully in that database, as appropriate. There are thousands of databases throughout the campus, many created years ago when the environment for cyber threats was different.

Second, we will do penetration tests of the security defenses of our central and local information systems to identify and seal any possible technological gaps through which cyber criminals could get in to search for any information. These probes will be performed on an ongoing basis.

Third, we will review the appropriate balance between centralized (University-operated) versus decentralized (unit-operated) IT systems. There must be policy changes to accompany technical fixes. We understand the needs of individual units to control their own servers and databases. We must also ensure that safeguards at central and local levels are equally robust and tightly coordinated. Our University's entire cybersecurity system is only as strong as its weakest link.

To execute this threefold mission, I am forming the President's Task Force on Cybersecurity. It will be led by Professor Ann Wylie, who formerly held the positions of Provost, Vice President for Administration, and Chief of Staff to the President.

The Task Force will have experts from our campus, including from our Maryland Cybersecurity Center. They will be supported by a leading cybersecurity company with advanced hacking capabilities in order to expose potential vulnerabilities in our systems.

I have charged the Task Force to complete its investigation and submit its recommendations to me within 90 days. It will have the full support of my office and the resources it needs to complete its task. I will take all necessary actions based on the Task Force's recommendations and the results of the forensic analysis now underway.

Professor Wylie will also serve as interim Vice President for Information Technology, effective March 1. Our current vice president, Brian Voss, previously announced his retirement as of March 31. They will work together for a seamless transition. A national search for a permanent Vice President and Chief Information Officer is underway.

There is no impregnable barrier against every fiendishly skillful cyber-attack. Every day, there are thousands of probes of our defenses that we spot and thwart. We are not alone. In the past couple of years, some 20 large universities across the country have also reported major data breaches.

There is an arms race between hackers playing offense and universities playing defense. In 2012, we doubled our IT security staff and doubled our annual investments in cybersecurity. We will continue to make the necessary investments.

In today's digital world, each of us must take reasonable steps to ensure our own information security. Therefore, the University will present a series of identity theft seminars to all our students, faculty, staff, and alumni. The seminars—which will also be recorded and later made available online—will feature experts on how to safeguard your sensitive information. Additional updates will be posted on www.umd.edu/datasecurity.

Because of the actions we are taking, I pledge to you that the University of Maryland will be even stronger, bigger, and better in the unremitting and global fight against cyber-crime.

Sincerely,

Wallace D. Loh
President, University of Maryland


 

Important Updates Regarding UMD Data Breach: Update #5 2/25/14

Credit Protection extended to five years. Enrolling in credit protection services is now available:

There is a generous amount of time available to register for a free, 5-year membership in Experian's ProtectMyID. Individuals affected by the breach have up until May 31, 2014 to enroll.

There are two ways to activate ProtectMyID credit protection through Experian.

  1. We encourage you to enroll online. It is simple, convenient and available 24/7. By mid-March, all individuals affected by the breach will receive a letter of notification in the mail. An activation code will be included in that letter. The letter will provide instructions for how to register online for ProtectMyID.

  2. You can call Experian directly at 1-866-274-3891 (Monday-Friday 9:00 am-9:00 pm ET and Saturday-Sunday 11:00 am-8:00 pm ET). You may experience delays due to call volume. We recommend enrolling online as the easiest, quickest and most convenient method.

Either way you choose to register for ProtectMyID, you must activate this service by 11:59 pm ET on May 31, 2014.

When registering, you will need to provide Experian with personal information, such as:

  • Name
  • Date of Birth
  • Social Security Number

  • Experian asks for personal information — such as your social security number — so that your identity can be verified during the registration process and future log-ins. This is strictly a security measure to ensure no one else has access to your information.

    Police report information:
    The police report case number associated with the UMD data breach is 14-7257. A police case number is required sometimes if you are attempting to place a security freeze on your credit file.

    Parents of affected students:
    Parent data was not part of the breached data set. Therefore parents of current students, and of students that studied between 1998 and present, are not impacted by this breach.

     

    UMD Data Breach: Update #4 2/25/14

    Our credit protection partner, Experian, is experiencing technical difficulties due to high call volume. Operators at Experian will continue be available through 9 PM ET tonight, though volume may continue to be high until the late afternoon. We apologize for this inconvenience and thank all affected students, alumni, faculty and staff for their patience.

     

    UMD Data Breach: Update #3 2/24/14

    The University of Maryland continues to work diligently to investigate the cause of the data breach, safeguard against future threats, and provide accurate updates to those affected as soon as possible.

    Please review the actions below, which outline steps you can take to protect yourself. Additional updates from the University are forthcoming. In the meantime, please remember to contact Experian at 1-866-274-3891 starting on Tuesday to verify and enroll in credit protection services.

     

    ADDITIONAL ACTIONS TO HELP REDUCE YOUR CHANCES OF IDENTITY THEFT


    Equifax Experian TransUnion
    1-800-525-6285 1-888-397-3742 1-800-680-7289
    www.equifax.com
    www.experian.com
    www.transunion.com





    • PLACE A 90-DAY FRAUD ALERT ON YOUR CREDIT FILE
    • —An initial 90 day security alert indicates to anyone requesting your credit file that you suspect you are a victim of fraud. When you or someone else attempts to open a credit account in your name, increase the credit limit on an existing account, or obtain a new card on an existing account, the lender should takes steps to verify that you have authorized the request. If the creditor cannot verify this, the request should not be satisfied. You may contact one of the credit reporting companies below for assistance.

    • PLACE A SECURITY FREEZE ON YOUR CREDIT FILE
    • —If you are very concerned about becoming a victim of fraud or identity theft, a security freeze might be right for you. Placing a freeze on your credit report will prevent lenders and others from accessing your credit report entirely, which will prevent them from extending credit. With a Security Freeze in place, you will be required to take special steps when you wish to apply for any type of credit. This process is also completed through each of the credit reporting companies.

    • ORDER YOUR FREE ANNUAL CREDIT REPORTS
    • —Visit www.annualcreditreport.com or call 877-322-8228. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

    • MANAGE YOUR PERSONAL INFORMATION
    • —Take steps such as: carrying only essential documents with you; being aware of whom you are sharing your personal information with and shredding receipts, statements, and other sensitive information.

    • USE TOOLS FROM CREDIT PROVIDERS
    • —Carefully review your credit reports and bank, credit card and other account statements. Be proactive and create alerts on credit cards and bank accounts to notify you of activity. If you discover unauthorized or suspicious activity on your credit report or by any other means, file an identity theft report with your local police and contact a credit reporting company.

    • OBTAIN MORE INFORMATION ABOUT IDENTITY THEFT AND WAYS TO PROTECT YOURSELF
    • —Visit www.experian.com/credit-advice/topic-fraud-and-identity-theft.html for general information regarding protecting your identity.
      —The Federal Trade Commission has an identity theft hotline: 877-438-4338; TTY: 1-866-653-4261. They also provide information on-line at www.ftc.gov/idtheft.

    Attorney General Douglas F. Gansler recently advised all consumers to take some basic steps that could protect their information from being misused, now or in the future. Review the tips here: www.oag.state.md.us/Press/2014/022014.html

    Letter from Brian D. Voss



    February 21, 2014

    Dear members of the campus community:

    On Wednesday evening, we announced that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information. Since that time, we have been working around the clock to ensure the breach has been contained and that other data systems are protected.

    The breached records included name, Social Security number, date of birth, and University identification number. No financial, academic, health or contact information was accessed.

    To help protect your identity, we are offering a free, one-year membership of Experian's® ProtectMyID® Alert. This product helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft.

    Effective immediately, operators at Experian are standing by at 1-866-274-3891 (Monday-Friday 9:00 am-9:00 pm EST and Saturday-Sunday 11:00 am-8:00 pm EST) to answer general questions or concerns regarding this matter. Starting on Tuesday, February 25 at 9:00 am EST, you can call them directly to determine if your records were compromised and to register for your free year of credit protection. You must activate this service by 11:59 pm EST on May 31, 2014.

    Once your ProtectMyID membership is activated, you will receive the following features:

    • Free copy of your Experian credit report
    • Surveillance Alerts for:
    • Daily Bureau Credit Monitoring: Alerts of key changes & suspicious activity found on your Experian credit report.
    • Identity Theft Resolution & ProtectMyID ExtendCARE: Toll-free access to US-based customer care and a dedicated Identify Theft Resolution agent who will walk you through the process of fraud resolution from start to finish for seamless service. They will investigate each incident; help with contacting credit grantors to dispute charges and close accounts including credit, debit and medical insurance cards; assist with freezing credit files; contact government agencies.

    It is recognized that identity theft can happen months and even years after a data breach. To offer added protection, you will receive ExtendCARE™, which provides you with the same high-level of Fraud Resolution support even after your ProtectMyID membership has expired.

    Our investigation into the cyber-attack continues, and the University of Maryland Police Department is working with the U.S. Secret Service on this matter. Additionally, we have partnered with MITRE, a leading systems engineering company specializing in cybersecurity, to provide additional forensic analysis on how this attack happened, and how to prevent such attacks in the future.

    We understand this breach is causing concern and consternation. Please know that we are doing everything possible to ensure the protection of your personal information as we move forward. If you have any questions, please contact us at datasecurity@umd.edu. Additional updates will be posted to this website: www.umd.edu/datasecurity.

    Sincerely,

    Brian D. Voss
    Vice President, Division of Information Technology

    Letter from President Loh



    February 19, 2014

    Dear students, faculty, and staff of the University of Maryland (at College Park and Shady Grove):

    Last evening, I was notified by Brian Voss, Vice President of Information Technology, that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information.

    I am truly sorry. Computer and data security are a very high priority of our University.

    A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised -- no financial, academic, health, or contact (phone, address) information.

    With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.

    The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service.

    University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.

    All updates regarding this matter will be posted to this website. Additional information is provided in the FAQs below. If you have any questions or comments, please call our special Experian hotline at 1-866-274-3891 or email us at datasecurity@umd.edu.

    Universities are a focus in today's global assaults on IT systems. We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will.

    Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised.

    Sincerely,

    Wallace D. Loh
    President, University of Maryland