Penn State University has sent out data breach notification letters to nearly 16,000 individuals to let them know that a computer in its Outreach Market Research and Data office was found to be actively communicating with a malicious botnet and that personal information including Social Security numbers may have been compromised.

Penn State has not used SSNs as a student identifier for 5 years, however an archived copy of a legacy database apparently still existed on the compromised server.

A Penn State spokesperson explained that “We have, of course, standard defenses: site-licensed antivirus, unit firewalls, patching, vulnerability scanning, web application scanning, intrusion detection and blocking of confirmed hostile sites or frequently probed ports. When a machine is compromised, it must be re-installed from known ‘good’ media before it’s allowed back on the network, since it’s not possible to truly clean a machine that’s been fully compromised.”

All of those are excellent security controls and fit nicely with established security best practices. However, the data itself should be encrypted so that if and when an attacker figures out how to circumvent those defenses the data itself will still be impervious to unauthorized access.

Tags: botnet, data breach, encryption, Penn State

This entry was posted on Wednesday, June 9th, 2010 at 11:28 pm and is filed under Security Breaches & Data Loss Incidents. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.