COLLEGE PARK, Md. (WUSA9) -- The University of Maryland president testified in front of Congress Wednesday for the first time since a massive data breach embarrassed the university and exposed the private information of hundreds of thousands of past and current students, staff, and faculty.
Dr. Wallace Loh told a Senate committee the university has now moved most of its websites to the cloud, expunged 80 percent of its databases, and hired experts to improve its protections.
But the attacker used the anonymous browser 'Tor' which masks a user's location, meaning no one may ever be caught.
Loh told senators on the Committee on Commerce, Science, and Transportation committee the February cyber attack was sophisticated and devastating, and took the university by surprise.
"We were just flying by the seat of our pants" to come up with a rapid response, Dr. Loh testified during the afternoon hearing on Capitol Hill.
In revealing detail, Dr. Loh recounted how the hacker gained access to a trove of personal data by first targeting a university website meant for uploading photos. Instead, the attacker uploaded a Trojan horse containing malware that found the passwords for some IT managers. Armed with those credentials, the hacker unlocked the keys to the digital kingdom, accessing social security numbers and other personal information up to 20 years old for 310,000 students, staff, and faculty.
When asked by WUSA9 after his testimony whether the university should have purged the records "long before" the breach, Dr. Loh answered unequivocally, "Yes, we should have. But we didn't."
Loh said the lapse "will be very expensive. And that's why I say: the reason they're stealing social security numbers is because they're valuable. If they were not valuable, nobody would be staling them. So pass a law forbidding financial institutions from using social security numbers."
Instead, the Senate is debating a bill to require minimum notification standards for future breaches.
The university has set aside more than $6 million to pay for credit monitoring for victims (at a cost of $20 per person) but only 58,000 - less than 20 percent - of them have signed up.
"It's for free for five years," Dr. Loh said, slightly incredulously. "But, you know, you can't force people to take it... Protection is everybody's responsibility."
It's as simple as using the activation code the university mailed to all the victims or by calling Experian directly. But victims must sign up by May 31.
Also at today's hearing, Sen. Ed Markey of Massachusetts chided retailing giant Target for not being as generous. The retailer is only offering one year of identity theft protection instead of the university's five. The up to 100 million victims of the Target breach can sign up on its website or by responding to its email notification.
