Statement from Vice President Dana

Robert Dana, UMaine Vice President for Student Affairs and Dean of Students
News Conference Statement
June 29, 2010
As Prepared

Good afternoon, and thank you for being here today.

Internet crime is a fast-growing and serious problem in our society, and we are sorry to report that the University of Maine and some of its students – past and present – are the victims of a data base breach.

Hackers have compromised two university servers, which include databases listing 4,585 students who accessed the services of the UMaine Counseling Center between Aug. 8, 2002 and June 21 of this year.

The Counseling Center provides support services and mental health counseling to UMaine students. In addition to names, the databases included social security numbers and clinical information about the individuals listed.

There is no indication that data were viewed, compromised or downloaded from either of these servers, but we are operating according to a worst-case scenario. In any case like this, identity theft must be a top concern and consequently we are taking strong measures to assist those whose information may have been exposed and to prevent further security intrusions.

To help with our response, we have contracted with Debix Identity Protection. This is a highly regarded national firm that comes to us highly recommended. Students and former students in the data base will have the option of using Debix services – at no cost to them – to monitor their credit for at least 12 months, as a measure of assurance against the scourge of identity theft.

This is an insidious affront to the rightful privacy expectations of our students. The criminals who make it their business to exploit our society’s need and ability to store information are beneath contempt. We are engaging all possible resources to find the source of these attacks.

The UMaine police department is leading the investigation, in consultation with the U.S. Attorney’s Office and computer crimes experts from the U.S. Secret Service. This is a comprehensive, aggressive investigation tapping the vast expertise and resources available in this criminal investigation realm.

Our investigation began on June 16, when Counseling Center staff members reported difficulty accessing their server. The initial breach has been traced to March 4. Subsequent suspicious network activity triggered automated alerts, and that server was blocked from accessing the Internet. However, because they had infiltrated the first server the criminals were then able to hack a second server. The first machine contained records for the 2002-2005 time period, while the second one contained a copy of that data base plus similar information for the intervening five years.

Nothing is more important than providing comprehensive services in a confidential and caring manner. This is essential for us and we take seriously our responsibility to properly manage the information our students share with us. The high-level safeguards we have in place routinely thwart these attempts, which occur virtually every day, but they were not adequate in this case. This is a serious breach, and we are profoundly sorry that this has happened.

It is important to note that attacks of this nature, mostly automated, occur constantly. Servers at institutions like UMaine can endure thousands of attempts on a given day. We have no reason to think that the target in this case was anything other than identity theft. The fact that a counseling center server was breached is most likely coincidental.

In addition to the police investigation, we are working with our colleagues at the University of Maine System to take extra steps to ensure that further incidents of this nature do not occur. We have engaged an outside expert in IT forensic investigation to help us. We will also thoroughly review university and system policies and procedures, to make sure that they are optimally effective.

Today’s announcement is the first step in notifying those affected by this crime. If you were a UMaine student between Aug. 8, 2002 and June 21, 2010 AND you accessed the counseling center, your information was in the compromised data base. We estimate that four-to-five percent of UMaine students during this time frame may be affected. If you answer “no” to either of those questions, you have no cause for concern.

We are also preparing a letter to each person in that database, to be mailed within the next few days, to provide information about how to access the services we are providing. We are taking steps to determine current mailing addresses for each person listed in the database.

Those letters are critical to the response. They will include all the relevant details and personalized information about obtaining identity protection services at the university’s expense.

We have also created a Web site, at umaine.edu/informationcenter, to provide a guide for those who might be affected, or have concerns that they might be.

Colleges and universities are prime targets for these criminals. We have large, powerful servers and high-speed connections that provide advantages to those who mean to profit by victimizing innocent people. One Web site that tracks such things reports five other similar crimes at U.S. universities this month alone. It’s serious, it’s insidious and it’s offensive to all we stand for. We pledge to do what we can to assist those affected and to try and prevent further such attacks in the future.

Detective Sergeant Bill Flagg from the UMaine police department is here with us to answer questions. Also here with me is John Grover, associate director of IT at the University of Maine System. Others, including Vice Chancellor Rebecca Wyke and Vice President Janet Waldron are also here and will be able to help answer any questions you might have.

On Detective Flagg’s advice and for purposes of the police investigation, we will refrain from discussing the techniques the hackers may have used to compromise these servers.