DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

University of Baltimore exposed student identity information for more than three years: auditors (UPDATED)

Posted on January 28, 2018 by Dissent

Jan. 29 – please see update under this post.

Meredith Cohn reports on a breach involving University of Baltimore student data:

The University of Baltimore has added protections to personal student data that officials had left unsecured possibly for years, according to a state audit released this month.

The information on 117,793 students was kept in text form in a database that contained names, addresses, dates of birth and Social Security numbers. The lapse was discovered during a routine audit by the Department of Legislative Services’ Office of Legislative Audits.

Such sensitive personally identifiable information is “commonly associated with identity theft,” read the audit, which covered July 2013 to mid-September 2016. “

Read more on The Baltimore Sun.

Now keep in mind that the University of Baltimore is part of the University System of Maryland. And in December, 2014, the Baltimore Sun reported:

Nearly a year after a massive data breach at the University of Maryland, state auditors say the campus network is still vulnerable to hackers — in part because gaps they identified five years ago remain.

While patching those holes would not have prevented the breach, auditors and university officials said Wednesday, some of the network still lacks proper firewalls or systems to detect intruders or malware.

Thomas Barnickel, an auditor with the state Office of Legislative Audits, said the findings suggest broader issues regarding the network’s protection.

Were those gaps applicable to the University of Baltimore? For how many years has UB been seriously vulnerable?

DataBreaches.net sent an inquiry to the University of Baltimore asking whether students were sent notification letters and/or offered any mitigation services.  Because the state’s report did not indicate whether they had assessed or investigated unauthorized access to the student data, our inquiry also included a question as to whether forensic investigation had determined whether any unauthorized IP addresses or individuals had accessed the exposed data.  No response has been received from University of Baltimore as of publication time. This post may be updated as more information becomes available.

Update:  The U. of Baltimore responded to this site’s inquiries. First and foremost, there was no breach involving the student data. None at all. Although the state’s report did not address that specifically, U. of Baltimore did investigate and found no breach.

The only – or real – issue, according to a university spokesperson, was that the data were in plain text and needed additional security such as encryption.  According to the spokesperson:

The issue pointed out in the legislative audit was that data were stored without additional recommended safeguards; adequate safeguards were in place. UB had security in place but needed to add encryption to our capabilities; there was significant concern about slowing the system down so extensive testing was done prior to implementing the
encryption; consequently, the work was in progress when the auditors arrived on campus. We have completed this task per the audit’s recommendation.

So if anything, it sounds like the auditors did their job – they pointed out where the security for the data needed to be hardened by deploying encryption. And the university didn’t dispute that and had already been working on it.  It’s a shame that they hadn’t completed it by the time of the audit, as they seem to have gotten bad local press for a situation that many universities still grapple with.

Category: Education SectorExposureU.S.

Post navigation

← Hacking and phishing accounted for 75% of breaches reported to North Carolina in 2017
Ontario Progressive Conservative Party database hacked: Sources →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.