From Pennsylvania State University’s web site:
A computer in the Dickinson School of Law that contained 261 Social Security numbers from an archived class list was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network.
As soon as the University became aware of the malicious software on this computer, it immediately was taken off line. Although it cannot be determined with certainty that any data was pulled from the computer by the infectious software, the University’s policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.
[…]