Penn State University | Information Privacy and Security

home | general information | community outreach | security vignettes

Security Vignettes

Accidental Internet Posting

Compromised Computer

Stolen University Laptop

Data Loss Statistics

----

Accidental Internet Posting

Identity theft is on the rise. Think you're busy in your normal routine right now? If you've never been a victim of identity theft, try to imagine the inconvenience you would experience while trying to reclaim your identity. People who have experienced identity theft know how much this event has interfered with their lives and daily activities - creating high levels of personal stress, fraudulent expenses in their name, and sometimes ruining their credit rating for years to come.

In 2007, more than 8,000 United States Marines had their personal identities exposed as a result of an accidental Internet posting by a Penn State researcher. The University and the U.S. Marine Corps learned about the breach from one of the individual marines, who found his own Social Security Number (SSN) on the Web while performing a Google search. The researcher involved had inadvertently posted a file he did not know contained confidential information.

While no identity theft incidents have been reported that are traceable to this event, the breach could have been avoided if the SSN data had been handled more securely. Remember that security at Penn State involves more than simply keeping your own information secure. Be conscious and aware of the sensitivity of data relating to any individuals for which you are responsible or that you use on a daily basis. Check all files before posting. The individual precautions taken by Penn State faculty and staff can greatly reduce the possibility of identity theft affecting employees, students, and donors.

Ask your technical support personnel about file scanning and remove any unsecured and non-essential sensitive information immediately. [back to top]

-----

Compromised Computer

Staying ahead of best business practices, the College of the Liberal Arts initiated a file-scanning program for staff and faculty members in mid-2007. The scan results uncovered a significant amount of sensitive information residing unknowingly on local hard drives. The information was removed.

A few weeks into the scanning process, it was discovered that one of the recently scanned computers had been compromised by the installation of malicious software code while the computer was connected to the Internet. The software linked the computer to a network of other computers known as a "botnet," that run automatically and autonomously to control the computer. The connection exposed the contents of the entire system to an intruder, but the earlier work of the College of the Liberal Arts in removing sensitive data during the file-scanning process, meant that no personal information was lost or stolen.

Ask your technical support personnel about file scanning and remove any unsecured and non-essential sensitive information immediately. Computer compromises can happen without your knowledge and bots can be installed on a machine in a matter of seconds, even while the computer user is visiting trusted Web sites. [back to top]

----

Stolen University Laptop

A University laptop was stolen from a Penn State University Park faculty member. As with many electronics today, briefly leaving a laptop in a public area, while making a phone call, visiting the restroom, or chatting with a friend can cause the device to fall into the hands of an intruder or opportunistic thief. Could information found on the laptop in this type of situation be used by organized crime and result in identity theft or other fraudulent activities? It is very possible.

This theft was reported and investigated by two different police jurisdictions and the computer's service tag number was entered into the database of the National Crime Information System. Further investigation confirmed the laptop contained archived information and Social Security numbers (SSNs) for 677 students attending Penn State between 1999 and 2004. The faculty member firmly believed that the laptop contained no sensitive information. To date, there have not been any reports of identity theft related to this incident.

If you've worked at Penn State for a number of years, you may be wondering how it might be possible for SSNs to continue to reside on an unsecure laptop even after the University stopped using SSNs as identifiers as part of the SSN conversion project in 2004. Everyday archive information is being transferred from one computer to another at the University, often without the oversight necessary to look at each file and confirm the nature of the contents. SSNs have been part of many documents including Staff Review and Development Plans (SRDPs), class rosters from the late 1990s, and lists of scholarship contenders. It is important for the Penn State community to do more to further (and ultimately conclude) efforts that took place during the conversion project in 2004. The scanning initiative, which is part of Penn State's Information Privacy and Security (IPAS) project, is helping the University address these needs.

Since 2006, more than 75 laptops at the Penn State University Park campus have been reported stolen, and approximately 30 of these laptops were stolen in 2008. Don't be the next "stolen laptop victim" and don't contribute to the theft of someone else's identity. Ask your technical support personnel about file scanning and remove any unsecured and non-essential sensitive information immediately. [back to top]

...............................................

Data Loss Statistics

The above vignettes are related to Penn State. Other educational and corporate data loss statistics can be found at:

DATALOSSdb: Data loss statistics

Privacy Rights Clearinghouse: A chronology of data breaches


...home GENERAL INFORMATION IPAS Team Phases of IPAS Project Glossary and Acronyms Community Outreach Security Vignettes Tips on Using this Site	home \| general information \| community outreach \| security vignettes Security Vignettes Accidental Internet Posting Compromised Computer Stolen University Laptop Data Loss Statistics ---- Accidental Internet Posting Identity theft is on the rise. Think you're busy in your normal routine right now? If you've never been a victim of identity theft, try to imagine the inconvenience you would experience while trying to reclaim your identity. People who have experienced identity theft know how much this event has interfered with their lives and daily activities - creating high levels of personal stress, fraudulent expenses in their name, and sometimes ruining their credit rating for years to come. In 2007, more than 8,000 United States Marines had their personal identities exposed as a result of an accidental Internet posting by a Penn State researcher. The University and the U.S. Marine Corps learned about the breach from one of the individual marines, who found his own Social Security Number (SSN) on the Web while performing a Google search. The researcher involved had inadvertently posted a file he did not know contained confidential information. While no identity theft incidents have been reported that are traceable to this event, the breach could have been avoided if the SSN data had been handled more securely. Remember that security at Penn State involves more than simply keeping your own information secure. Be conscious and aware of the sensitivity of data relating to any individuals for which you are responsible or that you use on a daily basis. Check all files before posting. The individual precautions taken by Penn State faculty and staff can greatly reduce the possibility of identity theft affecting employees, students, and donors. Ask your technical support personnel about file scanning and remove any unsecured and non-essential sensitive information immediately. [back to top] ----- Compromised Computer Staying ahead of best business practices, the College of the Liberal Arts initiated a file-scanning program for staff and faculty members in mid-2007. The scan results uncovered a significant amount of sensitive information residing unknowingly on local hard drives. The information was removed. A few weeks into the scanning process, it was discovered that one of the recently scanned computers had been compromised by the installation of malicious software code while the computer was connected to the Internet. The software linked the computer to a network of other computers known as a "botnet," that run automatically and autonomously to control the computer. The connection exposed the contents of the entire system to an intruder, but the earlier work of the College of the Liberal Arts in removing sensitive data during the file-scanning process, meant that no personal information was lost or stolen. Ask your technical support personnel about file scanning and remove any unsecured and non-essential sensitive information immediately. Computer compromises can happen without your knowledge and bots can be installed on a machine in a matter of seconds, even while the computer user is visiting trusted Web sites. [back to top] ---- Stolen University Laptop A University laptop was stolen from a Penn State University Park faculty member. As with many electronics today, briefly leaving a laptop in a public area, while making a phone call, visiting the restroom, or chatting with a friend can cause the device to fall into the hands of an intruder or opportunistic thief. Could information found on the laptop in this type of situation be used by organized crime and result in identity theft or other fraudulent activities? It is very possible. This theft was reported and investigated by two different police jurisdictions and the computer's service tag number was entered into the database of the National Crime Information System. Further investigation confirmed the laptop contained archived information and Social Security numbers (SSNs) for 677 students attending Penn State between 1999 and 2004. The faculty member firmly believed that the laptop contained no sensitive information. To date, there have not been any reports of identity theft related to this incident. If you've worked at Penn State for a number of years, you may be wondering how it might be possible for SSNs to continue to reside on an unsecure laptop even after the University stopped using SSNs as identifiers as part of the SSN conversion project in 2004. Everyday archive information is being transferred from one computer to another at the University, often without the oversight necessary to look at each file and confirm the nature of the contents. SSNs have been part of many documents including Staff Review and Development Plans (SRDPs), class rosters from the late 1990s, and lists of scholarship contenders. It is important for the Penn State community to do more to further (and ultimately conclude) efforts that took place during the conversion project in 2004. The scanning initiative, which is part of Penn State's Information Privacy and Security (IPAS) project, is helping the University address these needs. Since 2006, more than 75 laptops at the Penn State University Park campus have been reported stolen, and approximately 30 of these laptops were stolen in 2008. Don't be the next "stolen laptop victim" and don't contribute to the theft of someone else's identity. Ask your technical support personnel about file scanning and remove any unsecured and non-essential sensitive information immediately. [back to top] ............................................... Data Loss Statistics The above vignettes are related to Penn State. Other educational and corporate data loss statistics can be found at: DATALOSSdb: Data loss statistics Privacy Rights Clearinghouse: A chronology of data breaches
Privacy and Legal Statements \| Copyright 2007 The Pennsylvania State University \| Contact Us