ShareThis Page
Pennsylvania

Cyberattack at PSU exposes thousands of Social Security numbers

| Tuesday, June 8, 2010

For the third time in six months, a cyberattack at Penn State University exposed thousands of Social Security numbers to identity theft, officials confirmed yesterday.

"We continue to investigate it ourselves," said Geoff Rushton, a school spokesman. "And we're also working with national and regional agencies."

Rushton said he could not name the agencies because of confidentiality agreements.

Sometime before Wednesday, Penn State officials discovered that a computer in the Outreach Market Research and Data office was communicating with malicious software that enables attackers to control the target computer, Rushton said.

The breach exposed 15,806 Social Security numbers, according to a statement released by school officials.

In a separate, similar attack sometime before the week of May 24, the Social Security numbers of 9,766 individuals were exposed, Rushton said.

"We don't know the exact dates of either," he said. "We just know that they occurred earlier this year."

No evidence exists in either case that anyone accessed the Social Security numbers, Rushton said.

But school officials sent letters to those who might be affected by the attacks, alerting them of the possibility that their information was exposed.

The Social Security numbers belong to Penn State students who attended the school before 2005. That year, the university stopped using Social Security numbers as personal identifiers, Rushton said.

Penn State officials removed the database of numbers, but an archived copy remained undetected in the computers' caches, Rushton said.

About 30,000 people had Social Security numbers exposed during a comparable attack sometime before Dec. 23. Two smaller data breaches occurred last year and in December 2008.

Data breaches of this type are becoming more common, said Thom VanHorn, a vice president with Application Security Inc., a New York-based company that specializes in database security.

"People can go onto the black market and sell sensitive information easily," VanHorn said. "They know vulnerabilities are out there. And even when vulnerabilities are known, it takes time for an organization to patch them."

The 2006 state Breach of Personal Information Notification Act mandates that the university notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised. The mailing includes a brochure detailing how to prevent identity theft.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me