Quick Facts

• Date: 12/31/2009
• Institution: Eastern Washington University
• Type of Incident: Penetration
• Number Affected: 130,000
• Source: DataLoss DB
• Abstract Source: Seattle PI

Abstract
Eastern Washington University will soon being notifying current and former students following a sever breach. The system contained the names, dates of birth and Social Security numbers of 130,000 students dating back to 1987. The breach was discovered during a security assessment in early December. The investigation into the incident discovered that the system was breached and used to store video files. While the university does not have any evidence the information was accessed inappropriately, letters are being sent out as a precaution. In the letter to affected individuals, EWU President Rodolfo Arevalo stated that the university is treating the breach seriously and will continue to upgrade systems and security practices to protect sensitive information. EWU has setup a web site - www.ewu.edu/x67128.xml - with more information on the breach.

Quick Facts

• Date: 12/22/2009
• Institution: Western Michigan University
• Type of Incident: Unauthorized Disclosure
• Number Affected: Unknown
• Source: DataBreaches.net
• Abstract Source: New Hampshire Attorney General's Office (PDF)

Abstract
Western Michigan University has notified students after a mistake exposes student information online. According to the letter to the NH Attorney General's Office, student information such as Social Security numbers were inadvertently exposed online for "a brief period of time". The information was discovered on December 14, 2009 and the information was immediately removed. According to the university, there is no evidence the information was accessed, letters were sent out offering those affected a one-year membership in a credit monitoring service by IDExperts.

Quick Facts

• Date: 12/18/2009
• Institution: Penn State University
• Type of Incident: Penetration
• Number Affected: 30,000 (Updated)
• Source: DataLossDB
• Abstract Source: Penn State Live
• Update1 Source: Pittsburgh Post-Gazette, DataBreachs.net

Abstract
Penn State University is alerting former students after a computer containing personal information was compromised by malware. The computer, found to be infected with malware and communicating to computers outside of the university, contained an archived class list with 261 Social Security numbers. The university removed the infected computer from the network as soon the problem was discovered. According to PSU's chief privacy officer, Sarah Morrow, there is no reason to believe the student information was accessed but Penn State decided to err on the side of caution. As Morrow stated, "Even when theft is only a remote possibility, we alert anyone who may have been affected, and arm them with information and steps to take to mitigate their risk."

Update1
Pennsylvania State University has begun notifying individuals after a large scale malware outbreak was discovered. The outbreak, affecting multiple computers, involved systems containing the names and Social Security numbers of around 30,000 individuals. The systems affected belonged to the Eberly Colelge of Science (7,758 records), the College of Health and Human Development (6,827 records) and Penn State Schuylkill (15,000 records). According to Penn State spokeswoman Annemarie Mountz the Social Security numbers were contained in archived files on the systems affected by the malware and the university does not have any indication the files were accessed. Instead the letters, containing information on protecting against identity theft, were sent out as a precaution. As a result of this and a previous breach this year at Penn State's Behernd campus, Penn State has started initiatives to safeguard information stored on university-owned computers.

Quick Facts

• Date: 12/17/2009
• Institution: Alamance Community College, Beaufort County Community College, Bladen Community College, Blue Ridge Community College, Brunswick Community College, Central Carolina Community College, College of The Albemarle, Gaston College, Halifax Community College, Haywood Community College, Johnston Community College, Lenoir Community College, Martin Community College, Nash Community College, Pamlico Community College, Piedmont Community College, Richmond Community College, Roanoke-Chowan Community College, Rowan-Cabarrus Community College, Sandhills Community College, Southwestern Community College, Tri-County Community College, Vance-Granville Community College, Wake Tech Community College, Wilson Community College
• Type of Incident: Penetration
• Number Affected: 51,000
• Source: DataBreaches.Net
• Abstract Source: NC Community Colleges Press Release (PDF)

Abstract
The North Carolina Community Colleges system began notifying library patrons from 25 NC community colleges after a unauthorized individual gained access to a system housing patron data. The affected server, located in the NC Community Colleges System Office, was found to contain the personal information on 51,000 individuals including 12,400 Drivers License number and 38,500 Social Security numbers. The breach appears to have occurred on August 23, 2009 and NC Community Colleges staff became aware of the breach on August 24, 2009. An initial review discovered that 18 colleges used the Drivers License information to identify patrons. These colleges include Alamance, Beaufort, Blue Ridge, Brunswick, Central Carolina, College of The Albemarle, Gaston, Halifax, Johnston, Martin, Pamlico, Piedmont, Richmond, Rowan-Cabarrus, Tri-County, Vance-Granville, Wake Tech and Wilson. On October 19, 2009, the ongoing investigation uncovered that 12 colleges used Social Security numbers to identify patrons. these colleges include Bladen, Haywood, Lenoir, Nash, Pamlico, Richmond, Roanoke-Chowan, Sandhills, Southwestern, Tri-County, Vance-Granville and Wilson. The letters sent to those affected inform the individuals whether their Drivers License number or Social Security number (or both) were on the server and the letters contain information on how to check and secure credit profiles. NC Community Colleges are working to ensure that all personal data is removed from library systems to help prevent this incident from occurring in the future. The press release did not give a reason for the long delay in notification.

Quick Facts

• Date: 12/15/2009
• Institution: University of California, San Francisco
• Type of Incident: Penetration
• Number Affected: 600
• Source: PHIPrivacy.net
• Abstract Source: San Francisco Business Times

Abstract
The University of California, San Francisco has alerted patients after a physician's email account was compromised. The email account contained demographic and clinical information as well as some Social Security numbers on 600 patients. The email account became compromised in mid-October after the physician fell victim to a phishing scam. Accordign to UCSF news director Corinna Kaarlela, these 600 individuals were notified staring October 21 and December 11, 2009 which is the period during with the university conducted an in-depth investigation into the incident. While the investigation uncovered no indication the emails were accessed, individuals potentially affected were urged to carefully review statement from health insurers for suspicious payments and immediately report any discrepancies to their insurance provider.