Cyberattack at PSU exposes thousands of Social Security numbers
For the third time in six months, a cyberattack at Penn State University exposed thousands of Social Security numbers to identity theft, officials confirmed yesterday.
"We continue to investigate it ourselves," said Geoff Rushton, a school spokesman. "And we're also working with national and regional agencies."
Rushton said he could not name the agencies because of confidentiality agreements.
Sometime before Wednesday, Penn State officials discovered that a computer in the Outreach Market Research and Data office was communicating with malicious software that enables attackers to control the target computer, Rushton said.
The breach exposed 15,806 Social Security numbers, according to a statement released by school officials.
In a separate, similar attack sometime before the week of May 24, the Social Security numbers of 9,766 individuals were exposed, Rushton said.
"We don't know the exact dates of either," he said. "We just know that they occurred earlier this year."
No evidence exists in either case that anyone accessed the Social Security numbers, Rushton said.
But school officials sent letters to those who might be affected by the attacks, alerting them of the possibility that their information was exposed.
The Social Security numbers belong to Penn State students who attended the school before 2005. That year, the university stopped using Social Security numbers as personal identifiers, Rushton said.
Penn State officials removed the database of numbers, but an archived copy remained undetected in the computers' caches, Rushton said.
About 30,000 people had Social Security numbers exposed during a comparable attack sometime before Dec. 23. Two smaller data breaches occurred last year and in December 2008.
Data breaches of this type are becoming more common, said Thom VanHorn, a vice president with Application Security Inc., a New York-based company that specializes in database security.
"People can go onto the black market and sell sensitive information easily," VanHorn said. "They know vulnerabilities are out there. And even when vulnerabilities are known, it takes time for an organization to patch them."
The 2006 state Breach of Personal Information Notification Act mandates that the university notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised. The mailing includes a brochure detailing how to prevent identity theft.