The University of Maryland stored sensitive personal and financial information of prospective students on publicly accessible servers, data that could make students easy prey to identity thieves, according to a recent audit.
The state Office of Legislative Audits, which reviewed the University System of Maryland Office from February 2008 to March 2011, found that student names, Social Security numbers, and even some credit card numbers were stored without encryption on a university web server that could have been susceptible to hackers.
The student data that was found on the server “is commonly sought for use in identity theft,” according to the audit.The university system’s own guidelines require such nonpublic information be deleted or encrypted to prevent security breaches.
No prospective student data was compromised while on the publicly accessible server, according to Mike Lurie, spokesman for the university system.
The discovery was one of several findings regarding security risks and potential network issues to the university’s servers and wireless connections.
The university system is responsible for network connections with other University of Maryland institutions, as well as handling access to the state’s financial management information system.
Officials also failed to implement investment policies to oversee the university’s approximately $198 million in endowment funds from the University of Maryland Foundation, which helps receive and manage gifts for the university, as of June.
University officials have been working to address the findings in the audit, including removing all personal and financial data from public servers, according to the report.
A new investment policy covering the university system’s finances was also approved in September. And new processes have been created to ensure such data doesn’t make its way to public servers again.
“The IT department would have known if any information was breached or compromised,” Lurie said. “The updated controls were put into place in December of 2010, before the audit was completed. … We used the useful findings in the audit to continue moving forward to maximize our security protections.”
