In a press conference at Old Main today, provost Nick Jones, along with senior manager of third-party security company Mandiant Nicholas Bennett, further elaborated on the cyberattack on the College of Engineering. Although the university was made aware of the cyberattack in November, Jones said the delay in reporting the incident to the public was part of a “coordinated matter important for success.” He reiterated this is an incredibly serious situation.

Bennett, before answering questions and elaborating on the situation, commended Penn State for acting quickly to address the breaches, noting the university moved in a conscious and timely manner to research and combat the attack and contact a third-party security company.

When the College of Engineering was taken off the network after the public announcement, the passwords of students, faculty, and staff in the college auto-expired to protect their information. The university is now efficiently equipped and informed to combat the attack. Seeing as the College of Engineering is one of Penn State’s largest, the decision to take the college offline impacts hundreds of faculty and thousands of graduate and undergraduate students. Though the semester ended last week, access to documents and research on the college’s server is hindered, which will likely impact Summer Session. Timing was taken into consideration to best minimize the impacts, Jones said. Members of the College of Engineering currently have no access to the network or any work that involves IT.

Bennett said there is no direct evidence of stolen Social Security information or other data theft, but the usernames and passwords of those in the College of Engineering were compromised. Both he and Jones said there is also no evidence of exfiltration of data, threat actors who had access to usernames and passwords had the ability to look at the information available on these accounts.

The information jeopardized by the attack spanned “around 18,000 personally identifiable pieces of information on several systems,” and Jones said that “if this data falls into the wrong hands, it can be used for inappropriate purposes.” That being said, he noted none of the compromised information is anything that would be a threat to national security if it got into the wrong hands, and at this time the university does not have evidence this data was in fact removed from the servers.

As of right now, there is no speculation as to the motive of the hackers, of which there were two separate parties. Evidence of the initial hack was first traced to September of 2012, and the first presence of the second attacker was discovered in July of 2014. As stated in the release from the College of Engineering earlier today and reiterated in the press conference, at least one of the threat actors is located in China, but the university does not know who it was or the exact location in China. Each source accounted for a separate intrusion, and each intrusion lasted from the time of initial access to the system until today.

When asked about the next step in the large-scale, ongoing investigation and remediation of the attack, Vice Provost of IT Kevin Morooney said the university will employ more vigorous monitoring to understand the constantly evolving threat. Jones additionally stressed the university and Mandiant have “invested tens of thousands of person hours over the last several months in investigating the attack and preparing for the remediation.”