Educational Security Incidents (ESI)

Quick Facts

• Date: 12/18/2009
• Institution: Penn State University
• Type of Incident: Penetration
• Number Affected: 30,000 (Updated)
• Source: DataLossDB
• Abstract Source: Penn State Live
• Update1 Source: Pittsburgh Post-Gazette, DataBreachs.net

Abstract
Penn State University is alerting former students after a computer containing personal information was compromised by malware. The computer, found to be infected with malware and communicating to computers outside of the university, contained an archived class list with 261 Social Security numbers. The university removed the infected computer from the network as soon the problem was discovered. According to PSU's chief privacy officer, Sarah Morrow, there is no reason to believe the student information was accessed but Penn State decided to err on the side of caution. As Morrow stated, "Even when theft is only a remote possibility, we alert anyone who may have been affected, and arm them with information and steps to take to mitigate their risk."

Update1
Pennsylvania State University has begun notifying individuals after a large scale malware outbreak was discovered. The outbreak, affecting multiple computers, involved systems containing the names and Social Security numbers of around 30,000 individuals. The systems affected belonged to the Eberly Colelge of Science (7,758 records), the College of Health and Human Development (6,827 records) and Penn State Schuylkill (15,000 records). According to Penn State spokeswoman Annemarie Mountz the Social Security numbers were contained in archived files on the systems affected by the malware and the university does not have any indication the files were accessed. Instead the letters, containing information on protecting against identity theft, were sent out as a precaution. As a result of this and a previous breach this year at Penn State's Behernd campus, Penn State has started initiatives to safeguard information stored on university-owned computers.

Quick Facts

• Date: 11/30/2009
• Institution: Pennsylvania Sate University
• Type of Incident: Penetration
• Number Affected: 303
• Source: ESI
• Abstract Source: The Daily Collegian

Abstract
Penn State recently notified current and former students after a security incident may have exposed personal information. On August 3, Penn State Security Operations and Services notified university officials that the online grade book a professor used was compromised by a computer virus. The grade book contained the names, grades and Social Security numbers for 303 current and former students. While the information was taken offline when the problem was discovered, the Dean of the College of Earth and Mineral Sciences did not send letters to those affected until November. University spokesperson Annemarie Mountz stated that the university's response was in line with Pennsylvaina's Breach of Personal Information Notification Act. According to Mountz, there is no evidence this information was accessed by any unauthorized individuals. Mike McEvoy, a class of 2006 alumni affected by this incident, said he was thankful the university took immediate action to remove the information but wishes they had notified him in a more timely manner.

Quick Facts

• Date: 4/9/2009
• Institution: Penn State University - Erie, The Behrend College
• Type of Incident: Penetration
• Number Affected: 10,868
• Source: OSF Data Loss Database
• Abstract Source: Penn State Live

Abstract
Penn State University officials are working to notify individuals after a computer containing personal information may have been breached. The server, containing historical information, contained the names and Social Security numbers of 10,868 individuals at Erie, PA Behrend campus. Behrend staff became aware of the potential breach when the college's intrusion detection system alerted them of the problem. Staff investigated the incident and confirmed the that computer contained Social Security numbers. However, staff was not able to confirm that the personal information was affected by the breach. The computer was taken offline and the sensitive data was removed. Behrend will begin sending out notification letters to the affected individuals April 11th.

Quick Facts

• Date: 3/17/2009
• Institution: Penn State University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 1,000
• Source: DataBreaches.net
• Abstract Source: Centre Daily Times

Abstract
Penn State University is working to alert employees after a virus infection may have exposed personal information. The infected computer, located in the Penn State Office of Physical Plant, was found to contain the names and Social Security numbers of about 1,000 employees from 2000. Penn State discontinued the use of Social Security numbers in 2005, but legacy files still contain this information according to Physical Plant spokesperson Paul Ruskin. The Office of Physical Plant has alerted all affected individuals and is reviewing all old data for the use of Social Security numbers.

Abstract

• Date: 1/25/2008
• Institution: Penn State University
• Type of Incident: Theft
• Number Affected: 677
• Source: ESI
• Abstract Source: The Daily Collegian

Abstract
A Penn State University laptop containing archived student information was stolen from a faculty member while traveling. This laptop contained the Social Security numbers and other student information on 677 students that attended PSU between 1999 and 2004. According to PSU's Chief Privacy Officer, David Lindstrom, the university does not believe the information was compromised but students should take measures to monitor their credit reports for fraudulent activities. Lindstrom did not reveal the location of the crime fearing that doing so would let the thief know what they had stolen.