Driver's license data found to be part of prior information exposure

UNIVERSITY PARK, Pa. -- Continuing investigation has revealed that 5,904 driver's license numbers, belonging to current and former students at Penn State Altoona, may have been compromised during a previously reported attack on an application hosted on a server on Penn State's University Park campus. The application was compromised using a technique known as SQL injection, which allows an attacker to gain unauthorized, database-level access to vulnerable applications.

As the University reported in December, 1,406 Social Security numbers, all of which belong to students who were enrolled at Altoona campus before 2005, were present in the database that was compromised during the same attack.

As soon as the University became aware of the issue, the server was immediately taken offline. Although there is no evidence that the information has been used by unauthorized individuals, the University's policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.

"We have no reason to believe that this information has been used by unauthorized individuals, but those affected should remain alert in the event that an individual attempts to use their identity," said Sarah Morrow, chief privacy officer for the University. "Whenever identity theft is a possibility, we alert anyone who may have been affected and arm them with information and steps to take to mitigate their risk."

Penn State is notifying those involved via letters that will include contact information should recipients have further questions. Letters are being sent today (Jan. 25) to owners of driver's license numbers that may have been compromised. The mailing also includes a brochure detailing how to prevent identity theft. The information was compiled primarily from the FTC (Federal Trade Commission) and the Pennsylvania Attorney General's websites.

For more information, contact the Penn State Call Center toll-free at 855-842-8351.

To learn more about Penn State's efforts to minimize computer security risks, visit the Take Control Web site at http://its.psu.edu/takecontrol/ online. For more detailed information about identity theft risks and prevention, visit http://www.consumer.ftc.gov/features/feature-0014-identity-theft online.

Last Updated January 24, 2013