Three Penn State University computer breaches described by an official as apparently unrelated have prompted the school to begin notifying nearly 30,000 individuals that their Social Security numbers may have been compromised.
The breaches, occurring sometime before Christmas at two main campus colleges and at a Penn State branch campus, each involved computers infected by malicious software known as malware, Penn State spokeswoman Annemarie Mountz said yesterday.
The school last Wednesday began sending out letters to individuals potentially affected.
The areas and extent of the records involved in the attacks include Eberly College of Science, 7,758 records; the College of Health and Human Development, 6,827 records; and a Penn State campus beyond University Park, approximately 15,000 records, according to a statement issued by the university.
Penn State, in the midst of an investigation, did not identify the branch but said it will do so once it completes efforts to identify and alert those on that campus who may have been affected.
Penn State said the letters, which included a brochure with advice on identity theft, were sent as a precaution.
"Let me emphasize here that while the information -- in this case Social Security numbers -- was in archived files on computers that were infected by malware, we do not have any indication that it was accessed by unauthorized parties," Ms. Mountz said. "We prefer to err on the side of caution."
One identify theft expert suggested that those potentially impacted at Penn State, once notified, take steps immediately to protect themselves.
"English translation: They don't know whether the malware worked or not," said Jay Foley, executive director of the San Diego, Calif-based Identity Theft Resource Center. "I would strongly suggest that any of the 30,000 individuals whose information was on those computers place fraud alerts."
The ongoing rash of computer breaches worldwide highlights the difficulty of safeguarding sensitive data once collected and stored, experts say. Those perpetrating breaches are using ever more sophisticated techniques, even as the anti-virus community becomes more nimble at thwarting them.
"It's like an arms race," said Ron Plesco Jr., president and chief executive officer of the National Cyber-Forensics and Training Alliance, headquartered in Pittsburgh, a collaborative center that shares information on cyber threats with industry, law enforcement and academic institutions worldwide.
At Penn State, Ms. Mountz cited ongoing initiatives to safeguard information stored on university-owned computers, including an effort to identify malware.
The university's Web site reported an earlier breach this year at Penn State. It said university officials confirmed on March 23 that 10,868 Social Security numbers on a computer at Penn State Erie, the Behrend campus, might have been compromised.
Bill Schackner can be reached at email@example.com or 412-263-1977.