Three months. 90 days.
An entire semester nearly concludes.
A lot can happen in that time.
So we were startled to learn that Penn State students whose Social Security numbers may have been compromised were not notified until three months after the breach was discovered.
The university initially reported on Sept. 10 that malicious software infected a University Park computer server that contained Social Security numbers of 1,406 students who attended Penn State Altoona before 2005. The issue was caused by an SQL infection, which targets data-driven applications.
On Dec. 28, Penn State sent letters to the students whose Social Security numbers may have been compromised.
The university said it was time-consuming to determine how much personally identifiable information the injection put at risk. As of right now, we know that an outside computer accessed the Social Security information, but there’s no evidence that unauthorized people used it.
If this is the case, we are lucky that no personal information was compromised. If this were to ever happen again, we might not be this lucky.
But why, when so many awful situations could have arisen, would the university wait so long to tell students about a possible breach in security? Obviously, no one wants his or her Social Security number in the hands of the wrong person.
Students from Penn State Altoona could have had assets removed from their personal accounts.
It’s concerning that the university would wait so long to notify students. Students could have taken that time to better try to protect themselves.
Of course, it’s understandable that it took time to investigate the problem and compile a full list of students to notify of the possible problem, but the university definitely could have taken more steps to ensure the safety of its former students.
Why couldn’t the university let all Penn State Altoona students who attended before 2005 know that there was a possible security threat and advise former students to monitor their personal accounts? There was no advantage to not disclosing this information for three months.
Some people rarely, if ever, check their personal accounts to make sure they are up-to-date. It was important to let them monitor potential threats because, without notification, a huge problem could have gone unnoticed for months.
According to the 2012 Identity Fraud Survey Report, more than 11.6 million adults in the United States were exposed to identity fraud in 2011 — a 13 percent increase from 2010.
Most individuals who experienced identity theft ended up paying hundreds of dollars out-of-pocket as a result, according to the study.
Most likely, none of the students from Penn State Altoona would be happy about paying a few hundred extra dollars.
Some students probably do not even know how to look up their information, so they can monitor their accounts. It would probably be beneficial for students receive more guidance as to how to be careful with their online data. One idea would be to incorporate it into a freshman seminar course.