The University of Maryland has admitted that the personal information of more than 300,000 staff and students has been accessed in a “sophisticated” cyber attack.
The records include the names, social security numbers, and birth dates of 309,079 people issued with identification cards at the institution’s College Park and Shady Grove campuses since 1998.
But no financial, academic or contact information was compromised, according to a statement issued by university president Wallace Loh.
State and federal law enforcement authorities and computer forensics experts are investigating the breach, he said in a statement.
"Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed,” said Loh.
The attack comes after the university doubled the number of its IT security staff and its investment in security tools. “Obviously, we need to do more and better, and we will,” said Loh.
More on data breaches
Universities are attractive targets to cyber attackers because of the vast databases they maintain containing personal details.
The latest breach ranks among the largest at US universities, reports news site Cnet.
In 2006, attackers accessed around 800,000 records at the University of California, Los Angeles and 275,000 records the year before at the University of Southern California.
In 2011, the University of Wisconsin-Milwaukee was breached, but took more than two months to notify 75,000 students and staff that their personal information may have been exposed.
In contrast, the University of Maryland notified those affected the day after the breach was discovered and is offering one year of free credit monitoring to all affected persons.
Fraud is of particular concern in cases where social security numbers are involved because they can be used by criminals to sign up to credit cards and bank loans using stolen identities.
“Once that happens, it can be messy to clean up – you need to convince the federal government that your identity has been stolen and all options have been exhausted, before you can get a new number assigned,” according to CNN Money.