Penn State University has a potential data breach on their hands–and not because of a stolen computer that lacked drive encryption software such as AlertBoot. In this case, it’s malware that’s causing the (potential) problem.
Letters Sent Out December 23
On December 23, databreaches.net posted news that Penn State was sending out data breach notification letters to approximately 30,000 people. Malware infections were found at the Eberly College of Science (7,758 records); the College of Health and Human Development (6,827 records); and one of Penn State’s campuses outside of University Park (roughly 15,000 records).
It was noted that the letters were being sent out as compliance measures under the Pennsylvania Breach of Personal Information Notification Act.
According to a story at the Pittsburgh Tribune-Review that was published today, the sensitive data that got compromised was people’s SSNs, although it’s not certain whether the data was actually accessed.
It sounds like PSU has decided to err on the side of caution and assume that the presence of malware and SSNs on the same computer was not a good thing. PSU is still in the process of determining whether that’s actually the case (for all we know, the malware could have been used to direct DDOS attacks against a particular network, and not designed for scraping information).
Data Security Involves More Than Encryption
As I frequently note, encryption is not a panacea when it comes to data security; the theft of laptops and USB disks is not the only way of illicitly acquiring data. That being said, file encryption would have helped in this case:
“The Social Security numbers were in archived files that people didn’t realize were on their computers,” said Mountz [spokeswoman for Penn State]. She did not know the types of computers that housed the data.
When you don’t know where your files are, how do you protect them? That’s a trick question. The answer is to know where your files are, and you won’t have to ask yourself the above. This, however, is easier said than done.
The truth is that it’s virtually impossible to keep track of sensitive data. That’s why sensitive files ought to be encrypted. This way, even if they end up somewhere where they shouldn’t be, access to the information is restricted.
Of course, sometimes it’s impossible to encrypt files, not because of a technical limitation, but because it disrupts the flow of work. Then again, not running with scissors also seemed to disrupt the flow of work back then when my biggest hazard was not eating glue….