UMaine Police Leading Investigation Into Computer Security Breach

Contact: Joe Carr at joe.carr@umit.maine.edu

ORONO — The University of Maine police department is leading the investigation into the breach of two UMaine computer servers this spring. Sensitive data related to approximately 4,585 students were exposed as a result of these hacker attacks. Compromised files date as far back as 2002.

“This is an insidious affront to the rightful privacy expectations of our students,” UMaine Vice President for Student Affairs and Dean of Students Robert Dana said at a news conference this afternoon. “The criminals who make it their business to exploit our society’s need and ability to store information are beneath contempt and we are engaging all possible resources to find the source of these attacks.”

The UMaine police department is consulting with the U.S. Attorney’s office and computer crimes experts from the U.S. Secret Service.

The servers held information from UMaine’s counseling center, which provides support and mental health services to the university’s student population. The compromised database includes names, social security numbers and clinical information relative to every student who engaged counseling center services between Aug. 8, 2002 and June 21 of this year.

“The high-level safeguards we have in place routinely thwart these attempts, but they were not adequate in this case,” Dana said. “This is a serious breach, and we are profoundly sorry that this has happened.”

UMaine’s investigation began on June 16, when counseling center staff members reported difficulty in accessing server files.

That investigation has revealed that a server, containing information archived from 2002-2005, was compromised as early as March 4. Once the hacker had gained access to that machine, he or she infiltrated a second server, which carries the active version of the 2002-2010 counseling center database.

To preserve the integrity of the investigation, police will not disclose the specific techniques the hackers used to access the servers.

“There is no indication that data were viewed, compromised or downloaded from either of these servers, but we are operating according to a worst-case scenario,” Dana said. “In any case like this, identity theft must be a top concern and consequently we are taking strong measures to assist those whose information may have been exposed and to prevent further security intrusions.”

UMaine has engaged Debix, a company that works with organizations that are victimized by attacks of this nature. For at least 12 months, Debix will monitor affected individuals who wish to access their services to watch for indications of identity theft and any fraudulent activity related to their credit. The company will also provide immediate alerts to individuals if there is suspicious activity related to their credit, along with identity theft insurance.

Today’s announcement is a first step toward informing the students and former students in the affected database of the breach. UMaine is also sending a customized letter to each person in the database. Those letters, which will be mailed in early July, will include details about how to access Debix’ services, which will be provided at no cost to those affected.

Any student or former student who visited the counseling center as a UMaine student since Aug. 8, 2002 should assume that he or she is in the affected database.

“The prevalence of attacks of this nature has resulted in the growth of firms such as Debix that specialize in working in these areas to assist institutions and individuals,” says UMaine Vice President for Administration and Finance Janet Waldron. “The company comes to us with strong references and extensive expertise. We believe this strengthens our response to protecting individuals should there be any intent to misuse the information that may have been obtained.”

In addition to retaining the services of Debix, UMaine and the University of Maine System are taking further measures to address this situation and to work toward preventing future security breaches.  The university will engage Protiviti, a global consulting company that will provide forensic information technology investigation expertise. The university will also conduct an internal review to determine whether policies and procedures were followed properly while also looking for ways to improve current practices.