University continues to battle malware

University Park, Pa. — A computer in the Outreach Market Research and Data office recently was found to be communicating with a bot controller, exposing 15,806 Social Security numbers to possible compromise. A 'bot' is a type of malware that allows an attacker to gain complete control over the affected computer.

The computer had at one time contained a database of Social Security numbers (SSNs) for official use by the University. The database was removed when Penn State stopped using SSNs in 2005, but an archived copy remained undetected in the computer's cache.

Letters are going out June 2 to those affected by the breach. The mailing includes a brochure detailing how to prevent identity theft. The information was compiled primarily from the FTC (Federal Trade Commission) and the Pennsylvania Attorney General's Web sites. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.

As with other cases at Penn State, the University has no evidence that unauthorized individuals accessed the information, but those affected should be alert in the event that an individual attempts to use their identity. "Even when theft is only a remote possibility, we alert anyone who may have been affected, and arm them with information and steps to take to mitigate their risk," said Sarah Morrow, chief privacy officer for the University.

In a separate case, a similar breach occurred on a University Libraries computer that communicated with a bot controller. Though there is no evidence that personally identifying information was accessed, the 9,766 individuals affected were notified of the breach by letter last week, with details on preventing identity theft.

For information about Penn State's efforts to minimize computer security risks, visit the Take Control Web site at http://its.psu.edu/takecontrol/ online. For more detailed information about identity theft risks and prevention, visit http://www.ftc.gov/bcp/edu/microsites/idtheft/ online.

Contacts: 
Last Updated June 07, 2010