Some Penn State alumni received an unwelcome, belated Christmas present this year: a letter notifying them that their Social Security numbers may have been exposed.
The university initially reported that malicious software infected a University Park computer server that contained Social Security numbers of 1,406 students who attended Penn State Altoona before 2005, Marcus Robinson, director of Information Technology communications, wrote in an email.
But the issue was actually caused by an “SQL injection,” Robinson said. An SQL injection targets data-driven applications, according to the Microsoft Developer Network. The incident was discovered on Sept. 10, and the server was taken offline the same day, he said.
It was time-consuming to determine how much personally identifiable information the injection put at risk, Robinson said.
On Dec. 28, more than three months after the issue was discovered, Penn State sent letters to the students whose Social Security numbers may have been compromised, according to a press release on Penn State Live. As soon as the investigation on the number of potentially compromised Social Security numbers was complete, the Privacy Office began to prepare and send the letters, Robinson wrote.
An outside computer accessed the information, but there’s no evidence that unauthorized people used it, Robinson said.
A long-standing issue
Penn State weathered a string of computer security issues in recent years. In September, the university’s anti-virus software detected a possible security compromise on a laptop a faculty member brought from home. The laptop contained the Social Security numbers of 2,500 students from the classes before 2005.
The university now uses the nine-digit student ID to track students and their grades, but it used Social Security numbers prior to 2005.
More than 20,000 students’ Social Security numbers may have been exposed in 2010 because of infected computers in the Outreach Market Research and Data office and the Student Aid Office.
Will C. Connell, Class of 2005, studied aerospace engineering at Penn State Altoona before graduating from Penn State University Park. He said when he first heard about the latest incident, he hoped he was one of the lucky ones who wasn’t affected — but he wasn’t very concerned.
“I pay enough attention to my credit history that I wasn’t worried,” Connell said. “The second an account is created in my name, I know.”
Connell, though, may be an exception. Because he now works in the defense industry, he receives a lot of training about protecting his personal information, he said.
Guarding your identity
Penn State takes several precautions to guard personal information, Robinson said. The university runs one of the largest efforts in the nation to scan for personally identifiable information and remove it from systems that shouldn’t have it, he said. In addition, the university also uses “an extensive Intrusion Detection architecture” to quickly identify attacks, Robinson said.
Good security also means making sure computer users install the most up-to-date anti-virus software, he said.
Earlier this week, Interim Executive Vice President and Provost Robert Pangborn sent an email to students and faculty, directing them to resources for protecting their computers. The administration sends the email every academic year to fulfill the requirements of the Higher Education Opportunity Act, Robinson said.
Gerald Santoro, senior instructor of information, sciences, and technologysaid most of the university system’s protection is through access controls — an ID and password — that limit what a user can do. Faculty are strongly urged not to store any personally identifiable information, like Social Security numbers, on any university systems that haven’t been certified for that purpose, he said.
“Through the combination of the access controls and the university policies, the hope is to prevent the damage of malware getting into the university system,” Santoro said.
Santoro said running a computer on a less-privileged account, instead of an administrator account, helps prevent infections. Otherwise, malicious software can automatically install itself on a computer, he said. Santoro said computer users should always have good anti-malware and anti-spyware programs installed, which are available for free on the Information Technology Services website, its.psu.edu.
People should never click on web links in an email, especially if they claim to be sent by their bank — it’s almost always a phishing attack to steal their bank account information, Santoro said.
Santoro said it’s impossible to have a perfectly secure system, but people who work in information security at Penn State are doing everything they reasonably can to protect information.
“They’re very serious about it, and they really are trying to do the best possible job they can to make sure that individuals do not compromise their own security,” Santoro said, “but also to make sure the caretakers of the information — the faculty and staff — are doing what they should be to make sure that information is secure.”