Russ O’Reilly reports:
Thousands of faculty, staff and former students at Penn State Altoona are examining their bank accounts and credit reports this week after receiving a letter that their personal information could be at risk after a security breach in the university’s database.
A computer virus created with malicious intent to steal information breached a Penn State Altoona computer earlier this spring, university officials said. Some 12,000 alumni, faculty and staff were notified Thursday that their Social Security numbers may have landed in hackers’ hands.
“We have no way of knowing whether [information] was received by anyone outside the university, but there is a potential,” Shari Routch, Penn State Altoona university relations director, said.
[…]
Information technology professionals at the University Park campus discovered the security breach March 15 through a routine system check. Penn State technology experts would not disclose which university office housed the infected computer.
Routch said those who could be affected were not notified until three months after the discovery because University Park information technology professionals and privacy officers worked extensively to sort and match Social Security numbers with names and addresses.
Read more on AltoonaMirror.com. I do not find any statement on the college’s web site at the time of this posting.
Three months strikes me as a bit long to match SSN with names and addresses. Why not put everyone on alert immediately via email or web posting to faculty and staff, at least?
The report indicates that the SSN on the system predated 2005. And as seems all-too-common, rather than protect the data proactively by deleting it, they somehow managed to quickly delete it after the breach:
Prior to 2005, Penn State used Social Security numbers to identify students and faculty, Routch said. Although that identification system has been replaced to preserve personal information, Social Security numbers predating 2005 remained in the database.
University office workers were issued computer software to delete traces of remaining Social Security numbers in the system after the March occurrence.
Sounds like a school that does quarterly security searches for viruses and hacking. “Routine System Check” Penn Universities should know better by now!