Malware opens door to possible information exposure

A computer at Penn State Abington that contained 739 Social Security numbers (SSNs) was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network. The SSNs were found in archived documents related to grade books from 1999-2003, when the University still used SSNs as student numbers. "Malware" is short for malicious software and refers to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, worm or other destructive program.

As soon as the University became aware of the malicious software on this computer, it immediately was taken off line. Although it cannot be determined with certainty that any data was pulled from the computer by the infectious software, the University's policy is to take a cautionary stance and notify individuals who may have been affected. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.

"We have no reason to believe that this information was accessed by unauthorized individuals, but those affected should be alert in the event that an individual attempts to use their identity," said Sarah Morrow, chief privacy officer for the University. "Even when theft is only a remote possibility, we alert anyone who may have been affected, and arm them with information and steps to take to mitigate their risk."

Penn State is notifying those involved via letters sent Nov. 15 that include contact information should recipients have further questions. The mailing also includes a brochure detailing how to prevent identity theft. The information was compiled primarily from the FTC (Federal Trade Commission) and the Pennsylvania Attorney General's Web sites.

Penn State runs one of the larger efforts in the nation to scan for personally identifiable information and remove instances from systems that should not have such data, and provides anti-virus software for students, faculty members and staff. If a University computer is compromised, the University's Information Technology Services group investigates the problem and determines whether personally identifiable information is present. A compromised machine must be erased, and clean software installed, before the machine is reattached to the network.

"For both system administrators and general users, good security always includes basic steps, such as ensuring that both operating system and application patches are up-to-date and that current anti-virus software is installed," said Kathy Kimball, senior director of Security Operations and Services at the University. "Users should also be mindful not to answer 'phishing' scams that purport to be from someone official and request either personal information or passwords."

For information about Penn State's efforts to minimize computer security risks, visit the University's Be Safe website at online. For more detailed information about identity theft risks and prevention, visit online.