Penn State issued a press release statement on Wednesday informing the university community that a computer in its Outreach Market Research and Data office was found to be actively communicating with a botnet CNC.
According to the statement, the database used by the office had previously contained Social Security numbers on individuals. The university, which discontinued use of SSNs for identification purposes in 2005, nevertheless found that an archived copy of the information went undetected in the computer’s cache.
Geoff Rushton, a spokesperson for the university, told Infosecurity that “[we] have a very active program to try to scan for and eliminate personally identifiable information from computers where it is no longer needed for business purposes. Our goal is to scan every machine throughout the University, but of course given our size, that will take some time to complete.”
This was the second time in two weeks that Penn State, one of the nation’s largest research institutions, was compelled to send out letters to people whose personal details may have been compromised via university computers. The Pennsylvania Breach of Personal Information Notification Act required Penn State to notify affected individuals, who will receive letters with brochures on how to prevent identity theft.
In its statement, Penn State said it has no evidence of unauthorized access to information in the database. “Even when theft is only a remote possibility, we alert anyone who may have been affected”, said Sarah Morrow, chief privacy officer at the university.
Penn State’s Rushton also outlined the steps the university is taking to limit future incidents. “We have, of course, standard defenses: site-licensed antivirus, unit firewalls, patching, vulnerability scanning, web application scanning, intrusion detection and blocking of confirmed hostile sites or frequently probed ports”, he said. “When a machine is compromised, it must be re-installed from known ‘good’ media before it's allowed back on the network, since it's not possible to truly clean a machine that's been fully compromised”.