Breaches emphasize need for scanning, encryption

Mar 17, 2009

Recent news reports indicate a computer containing confidential information about the helicopter that transports President Barack Obama was breached by a computer in Iran. In January, Heartland Payment Systems, a company that provides credit and debit card, payroll and related processing services to more than 250,000 business locations nationwide, announced it had a data breach that potentially exposed credit card numbers, expiration dates and other data. The Heartland breach includes about 700 Penn State purchasing cards, which are in the process of being replaced.

The Resource Center, a nonprofit organization dedicated exclusively to the understanding and prevention of identity theft, said that 656 had been reported by the end of 2008, reflecting an increase of 47 percent over the 2007 total. As of March 17, the resource center already reported 110 breaches for 2009, potentially exposing close to 1.3 million records containing personally identifying such as Social Security and .

As the nationwide problem of identity theft continues to evolve and grow, Penn State is not immune. , downloaded by unsuspecting employees who click on messages containing links to fake greeting cards or other seemingly harmless sites, has compromised at University Park and other campuses.

"We cannot stress enough the importance of not clicking on links in e-mail if you do not know for sure who sent the e-mail to you," said Kathy Kimball, senior director of ITS Security Operations and Services. "The most common of these e-mails state that a friend sent you an e-card, and you need to click on the link to view it. When you click on the link, you're redirected to a Web site that downloads malicious software onto your computer without your knowledge, opening up security breaches that can affect every computer on the network to which your computer is connected."

Gary Langsdale, University risk officer, reports that since October of last year, his office has received reports of a number of potential privacy breaches, most of which are related to an employee inadvertently clicking on one of those malicious e-mail links.

One such breach happened at Penn State Harrisburg in December. A University computer containing personally identifying information, including Social Security numbers, of continuing education students was discovered to have been infected with malicious software that had been inadvertently downloaded from the Internet. The computer contained information for 557 continuing education students, along with roughly 50 student IDs from another university. The continuing education students work for five different Harrisburg-area employers.

"We're in the process of notifying those who may be affected," said Langsdale. "At this time we have no knowledge that this information was accessed by unauthorized individuals. Our goal is to alert anyone who may be affected and arm them with information and steps to take to lessen their risk of identity theft -- even if that theft is only a remote possibility."

Another breach involving the unintentional download of malicious software compromised a Penn State computer in the Office of Physical Plant at University Park in February. "Again, we do not have any information to indicate that sensitive information was accessed by unauthorized individuals, but we are in the process of notifying those who may be affected."

Those whose personally identifying information may have been compromised were sent a letter informing them of the breach. The letter included a brochure containing information from the Federal Trade Commission and the Pennsylvania Attorney General's Web sites about how to prevent identity theft, including placing a fraud alert through the credit reporting organizations.

"These breaches could have been prevented and they certainly illustrate the importance of the University's security and privacy initiatives," said Kevin Morooney, vice provost for Information Technology. "Our information environment is under attack several times a second each and every day, so we need to respond with increased efforts to protect privacy. And as a research university, we need to make sure that what we do is as unobtrusive as it can be to scholarship."

The security and privacy initiatives include the location and protection of personally identifiable information on University-owned computers and full-disc encryption to protect laptops that are stolen or lost. The first phase of the initiative, which began in fall 2008, is focused on scanning University-owned equipment in University facilities. The reviews will be exclusively limited to looking for numerical codes that resemble Social Security, credit card and bank routing numbers, as well as the presence of malicious software that might enable the compromise of sensitive data. Reviews will be accomplished with the full knowledge of everyone involved and file content, such as teaching materials, research materials, financial information, letters of recommendation and personnel files, will remain untouched.

Reviews will be accomplished with the full knowledge of everyone involved and file content, such as teaching materials, research materials, financial information, letters of recommendation and personnel files, will remain untouched, according to Kimball.

"We want to emphasize the scanning effort is not designed to highlight personal files or other material aside from the numerical patterns we have just described," Kimball said. "The ITS Security Operations and Services team has already been able to help many units at Penn State go through the review for sensitive data and we can report that the process has gone very well. In fact, it has resulted in a reduction of unprotected, personally identifiable information on Penn State networks."

Provided by Pennsylvania State University (news : web)

Explore further: Voice, image give clues in hunt for Foley's killer

add to favorites email to friend print save as pdf

Related Stories

Is danger of identity theft overblown?

May 23, 2006

The announcement yesterday about the loss of personal electronic data on up to 26.5 million veterans is the latest in a string of similar reports about information security breaches at major institutions in the last two year ...

Spyware poses identity-theft risk (Update)

Sep 15, 2005

A new study finds that a growing amount of Internet spyware -- programs downloaded to users' computers without their knowledge -- is designed specifically to steal personal information that could be used for identity theft. ...

Few thrilled by ID theft bill

Nov 18, 2005

Senate members will soon be voting on a controversial new identity theft bill, but some experts think it doesn't have enough teeth. The Personal Data Privacy and Security Act, sponsored by Sen. Arlen Specter, R-Pa., and Sen. ...

Recommended for you

Voice, image give clues in hunt for Foley's killer

7 hours ago

Police and intelligence services are using image analysis and voice-recognition software, studying social media postings and seeking human tips as they scramble to identify the militant recorded on a video ...

Smartphone-loss anxiety disorder

8 hours ago

The smart phone has changed our behavior, sometimes for the better as we are now able to connect and engage with many more people than ever before, sometimes for the worse in that we may have become over-reliant on the connectivity ...

Why conspiracy theorists won't give up on MH17 and MH370

Aug 20, 2014

A huge criminal investigation is underway in the Netherlands, following the downing of flight MH17. Ten Dutch prosecutors and 200 policemen are involved in collecting evidence to present at the International Criminal Court in the Hague. The inv ...

Here's how you find out who shot down MH17

Aug 20, 2014

More than a month has passed since Malaysia Airlines flight MH17 crashed with the loss of all 298 lives on board. But despite the disturbances at the crash site near the small town of Grabovo, near Donetsk ...

Assange talks of leaving embassy, sowing confusion

Aug 18, 2014

WikiLeaks founder Julian Assange sowed confusion Monday with an announcement that appeared to indicate he was leaving his embassy bolt hole, but his spokesman later clarified that that would not happen unless ...

User comments : 0