Please ensure Javascript is enabled for purposes of website accessibility

Audit: University of Baltimore left student database open

University of Baltimore officials told state auditors that the computer security concerns uncovered in a recent audit are being addressed. (File photo)

University of Baltimore officials told state auditors that the computer security concerns uncovered in a recent audit are being addressed. (File photo)

The University of Baltimore improperly left a database with students’ Social Security numbers unprotected and separately lost $22,600 when a vendor overcharged the institution, an audit found.

The inspection by the Department of Legislative Services’ Office of Legislative Audits found that staff turnover and new restrictions led to the open database, which is against University System of Maryland data security protocols.

In its audit response, the university accepted the audit findings and said that some changes had already been implemented.

Among the findings, a database containing the Social Security numbers, names, addresses and dates of birth of more than 117,000 students was not maintained securely. The audit found that the data, commonly associated with identity theft, failed to meet University System of Maryland security standards and should have been encrypted.

The university said no student data was released.

“The University is required to comply with USM’s updated security standards for the safeguarding of (personally identifiable information) data. At the time of the audit, these then-new restrictions had not been implemented,” said Chris Hart, a university spokesperson. “We now have fully implemented the USM’s standards. Additionally, there was no improper release of (personally identifiable information) by anyone or any system at UB.”

In the case of the lost money, a vendor for marketing and advertising charged the university $135 dollars an hour, $5 more an hour than the rate included in the contract. While the university said it had verbally agreed to the higher rate, it did not formally modify the contract as required by University System of Maryland policy.

The legislative audit calculated the difference between the rates cost the university $22,600 over the first two years in the contract before it was modified to reflect the higher rate. On the recommendation of the auditors, the university is seeking a legal opinion from the attorney general as to whether it should recoup the payments.

Several of the other findings discovered university employees had system access and abilities that could have cost the university money.

For example, the audit found procedures to review initial residency status determinations for law students were not effective because the reviewer was not independent. Instead, determinations were made by employees of the law school admissions office.

Because of a small admissions office, the admissions director may have needed to update some residency determinations on a case-by-case basis, Hart said. While the ability to change decisions was built into the system, no changes were actually found by the audit.

The university has removed the ability of the director to change residency decisions.

The difference between in-state and out-of-state tuition for full-time students in fiscal year 2017 was nearly $14,000. 

In other areas where a single employee had more access than he or she should have, the university has also changed its protocols to comply with the audit’s findings.

To purchase a reprint of this article, contact