Penn State announces two breaches involving personal information
|
Date Reported:
6/2/10
Organization:
Pennsylvania State University ("Penn State")
Contractor/Consultant/Branch:
Outreach Market Research and Data office, and university libraries
Location:
University Park, Pennsylvania
Victims:
"appear to belong to alumni"
Number Affected:
25,572 Total:
15,806, in the breach affecting the Outreach Market Research office
9,766, in the breach affecting the university libraries
Types of Data:
"personal information, including Social Security numbers"
Breach Description:
"As many as 25,572 Social Security numbers once stored on Penn State computer systems may have been exposed during security breaches in recent weeks, the university reported Wednesday."
Reference URL:
StateCollege.com
Cetre Daily News
infosecurity.com
Report Credit:
Adam Smeltz, StateCollege.com
Response:
From the online sources cited above:
As many as 25,572 Social Security numbers once stored on Penn State computer systems may have been exposed during security breaches in recent weeks, the university reported Wednesday.
[Evan] This is an unfortunate by-product of the university trying to do the right thing after years of doing the wrong thing. What I mean by this is the university is going through all of their systems in an attempt to locate and secure sensitive information (the right thing). The wrong thing is that these systems and sensitive information were not properly secured by design, prior to implementation. This is a challenge faced by many organizations who are trying to make this transition. Breaches will be discovered in the process.
But Penn State has no evidence that any unauthorized people have accessed the Social Security numbers, which appear to belong to alumni, spokesman Geoff Rushton said.
He said the breaches happened when malicious software infected two computers -- one each in the university libraries and the Outreach Market Research and Data office.
All the affected individuals have received or will receive notices from Penn State, encouraging them to be vigilant in monitoring their personal data and to prevent identity theft, Rushton said.
Some notices were mailed last week; others will be sent today.
"Many of the files were buried fairly deeply in the machines that they were on," Rushton said.
"In some cases, it appeared that the information had been deleted (beforehand) but not overwritten."
[Evan] Are there still people out there who think that hitting the "Delete" key works in getting rid of information?
He said the university is notifying people "out of an abundance of caution more than anything."
[Evan] Ugh, I do not like the "abundance of caution" claims in any breach notification.
A 4-year-old state law also mandates the disclosure.
Rushton said he understands that normal security procedures allowed Penn State information-technology personnel to discover the recent breaches.
[Evan] This actually speaks highly of Penn State's current information security practices. Regular scanning, testing, and monitoring are all critical to a well run information security program.
Since 2008, information-technology workers at the university have been working to scrub Social Security numbers, bank-routing data and other sensitive information from a variety of computer systems, Rushton said.
In 2005, the university stopped using Social Security numbers as a routine method of identifying and tracking students in internal computer systems.
Penn State last reported a security breach involving Social Security numbers back in February.
In January, according to the university, malware infections exposed 5,600 records with Social Security numbers that were housed in the Student Aid Office.
And on March 23, 2009, Penn State announced that 10,868 Social Security numbers stored at Penn State Erie could have been breached.
But "to the best of our knowledge, there is no evidence of unauthorized use (of) personally identifiable information directly attributable to a compromise at Penn State," Rushton wrote in an e-mail message Wednesday night.
Commentary:
Organizations that did not design information security into their architecture, infrastructure, and culture early on face significant challenges that are sometimes not accounted for when they decide (as they should) to implement a sound information security program. Organizations who are starting out down this road need advice from people who have done this transition work before, and they need this advice early on. Good information security advice helps to set expectations and plan appropriately.
Past Breaches:
Many
Posts Atom 1.0
Comments