Privacy Breaches May Expose More Social Security Data At Penn State
As many as 25,572 Social Security numbers once stored on Penn State computer systems may have been exposed during security breaches in recent weeks, the university reported Wednesday.
But Penn State has no evidence that any unauthorized people have accessed the Social Security numbers, which appear to belong to alumni, spokesman Geoff Rushton said. He said the breaches happened when malicious software infected two computers -- one each in the university libraries and the Outreach Market Research and Data office.
All the affected individuals have received or will receive notices from Penn State, encouraging them to be vigilant in monitoring their personal data and to prevent identity theft, Rushton said. Some notices were mailed last week; others will be sent today.
"Many of the files were buried fairly deeply in the machines that they were on," Rushton said. "In some cases, it appeared that the information had been deleted (beforehand) but not overwritten."
He said the university is notifying people "out of an abundance of caution more than anything." A 4-year-old state law also mandates the disclosure.
Rushton said he understands that normal security procedures allowed Penn State information-technology personnel to discover the recent breaches. He said the university shares information about such violations with national and regional law-enforcement agencies.
Since 2008, information-technology workers at the university have been working to scrub Social Security numbers, bank-routing data and other sensitive information from a variety of computer systems, Rushton said. He said they're also scouring for malicious software, known as malware.
In 2005, the university stopped using Social Security numbers as a routine method of identifying and tracking students in internal computer systems. Penn State last reported a security breach involving Social Security numbers back in February. In January, according to the university, malware infections exposed 5,600 records with Social Security numbers that were housed in the Student Aid Office.
And on March 23, 2009, Penn State announced that 10,868 Social Security numbers stored at Penn State Erie could have been breached.
But "to the best of our knowledge, there is no evidence of unauthorized use (of) personally identifiable information directly attributable to a compromise at Penn State," Rushton wrote in an e-mail message Wednesday night.
The university has posted a variety of information-guarding tips on a special website, available here.