|
PSU hit in cyber attack [The Pittsburgh Tribune-Review]
(Pittsburgh Tribune-Review (PA) Via Acquire Media NewsEdge) Dec. 29--The Social Security numbers of about 30,000 people became vulnerable after malicious software attacked Penn State University computers some time before Dec. 23, school officials said Tuesday.
"We're not sure if the data was accessed" by cyber-criminals, said Annemarie Mountz, spokeswoman for Penn State.
The school is trying to determine whose Social Security numbers were exposed, Mountz said. She could not say whether they belonged to faculty, staff, alumni or others.
The breaches involved 7,758 records in the Eberly College of Science, 6,827 records in the College of Health and Human Development, and about 15,000 records from a Penn State branch campus.
"The Social Security numbers were in archived files that people didn't realize were on their computers," said Mountz. She did not know the types of computers that housed the data. Most Penn State officials are on vacation this week.
Penn State officials sent letters to those affected at the Eberly College of Science and the College of Health and Human Development on Dec. 23, Mountz said. She would not identify the branch campus because investigators are searching for contact information to notify people.
"Even when theft is only a remote possibility, we alert anyone who may have been affected, and arm them with information and steps to take to mitigate their risk," Sarah Morrow, the school's chief privacy officer, said in a statement.
The 2006 state Breach of Personal Information Notification Act mandates that the university notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised. The mailing includes a brochure detailing how to prevent identity theft.
The university's news Web site, Penn State Live, says other data breaches occurred in January and February and in December 2008, although those were much smaller. One targeted a single computer; the two others affected hundreds of individuals.
Penn State officials instituted extra protection measures for sensitive data in fall 2008. They started scanning for strings of numbers that could be Social Security or credit card numbers so they could protect them, and started encrypting, or changing into code, sensitive data, Mountz said.
"But with 40,000 employees, it's a slow process," she said.
Penn State officials continue to educate employees about Internet safety, Mountz said. Examples include not clicking on links in e-mails from unfamiliar sources, she said.
"Unfortunately, a majority of organizations that are as large and as longstanding as Penn State are in the same situation," said Josh Shaul, vice president of product management for Application Security Inc., a New York-based company that specializes in database security.
Younger organizations build information technology infrastructure with today's security threats in mind, Shaul said. The makers of older IT systems did not know the variety of worms, viruses and other malware that could penetrate defenses and access sensitive information.
Shaul said organizations must first protect data they know exist. Second, officials must search for data that could be in unknown places. Finally, officials must establish a system to keep data, known and unknown, within the organizations' networks.
To see more of The Pittsburgh Tribune-Review or to subscribe to the newspaper, go to http://www.pittsburghlive.com/x/pittsburghtrib/.
Copyright (c) 2009, The Pittsburgh Tribune-Review
Distributed by McClatchy-Tribune Information Services.
For reprints, email tmsreprints@permissionsgroup.com, call 800-374-7985 or 847-635-6550, send a fax to 847-635-6968, or write to The Permissions Group Inc., 1247 Milwaukee Ave., Suite 303, Glenview, IL 60025, USA.
[ Back To TMCnet.com's Homepage ]
|
TMCnet LOGIN
Webinars
