While you may have been enjoying your holiday break, those who work at Penn State’s privacy office were not. After a breach in the PSU network due to malware infections, social security numbers of over 30,000 individuals connected to the Eberly College of Science, College of Health and Human Development, and Commonwealth Campuses have been hacked. Annemarie Mountz, spokesperson for Penn State, says they’re not sure if the data was accessed by cyber-criminals, but that all those affected should stay on their toes and be alert.
The 2006 Pennsylvania Breach of Personal Information Notification Act mandates that the University notify anyone whose personal identification information is lost or stolen due to computer malfunction or hacking. The mailing also includes a brochure on how to protect yourself against identity theft. Mountz says that the university had been working to encrypt sensitive information since fall 2008. Unfortunately, with a university containing so many alumni, staff, and students, it’s a long, slow process that has obviously not made enough headway.
This information comes shortly after news that some alumni’s social security numbers had been hacked as well. In early August, an online grade book containing about 300 social security numbers was compromised by a computer virus. Those affected considered taking legal action.
While none of the numbers were used maliciously in that case, there is no reason they should have been sitting around on computers after the affected students graduated, and there is absolutely no excuse for the University to take three months to notify them that a breach had occurred.
The incident in August is child’s play compared to this recent breach, though. Three hundred versus thirty thousand is a big difference, like one class against an entire university. While Penn State officials are working hard to notify those affected and fix this mess, it’s still a big mess. Josh Shaul, Vice President of product management for Application Security Inc., says the university must first protect data they know exists. Second, officials must search for data that could be in unknown places. Finally, officials must establish a system to keep data, known and unknown, within the organizations’ networks.