Quite simply some 30,000 social security numbers at Penn State University (PSU) became vulnerable after a malicious software attack. Said a spokeswoman for PSU, “We’re not sure if the data was accessed” and “The Social Security numbers were in archived files that people didn’t realize were on their computers,”
And because of the 2006 state Breach of Personal Information Notification Act, PSU is mandated to notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised. This they are doing for those affected at the Eberly College of Science and the College of Health and Human Development.
Obviously the two breaches back in 2008 and the other “protection” methods deployed in that same year did nothing to help aid in this particular breach as the school is still trying to determine whose numbers were exposed.
Josh Shaul, vice president of product management for Application Security Inc., a New York-based company that specializes in database security said about this breach that “Unfortunately, a majority of organizations that are as large and as longstanding as Penn State are in the same situation” and that “Younger organizations build information technology infrastructure with today’s security threats in mind”.
Additinally, Shaul states that “organizations must first protect data they know exist. Second, officials must search for data that could be in unknown places. Finally, officials must establish a system to keep data, known and unknown, within the organizations’ networks.”
Interesting quotes as it seems that PSU did try and take measures in 2008 AND I’d venture to say that many new, as well as old, organizations have no idea where all their sensitive data exists within their company. Maybe it’s time we start deploying intelligent mechanisms that detect who, what, and when malicious activity occurs on our networks.