Penn St. warns of computer-privacy breach


December 31, 2009 at 12:00a.m.

STATE COLLEGE, Pa. (AP) — Nearly 30,000 individuals associated with Penn State may have had their Social Security numbers exposed because of privacy breaches caused by infected university computers, school officials said Tuesday.

A school spokeswoman said there is no evidence the information has been accessed by unauthorized parties, but that the university is notifying individuals as a precaution that their information is on an infected computer. It was not immediately clear whether the affected individuals were all students.

The school announced Dec. 23 that the computers have been hit by so-called “malware,” or malicious software.

Spokeswoman Annemarie Mountz said that as of Tuesday, about 7,700 individuals have been contacted due to computer problems at the Eberly College of Science, with another 6,800 at the College of Health and Human Development.

Another 15,000 records were affected at a still-unnamed branch campus. Mountz said that investigation is not complete and that letters will be sent once the individuals’ identities are determined.

The Social Security numbers were in archived files on infected computers.

Still, “We do not have any indication that it was accessed by unauthorized parties. We prefer to err on the side of caution, and notify people if their information is on an infected computer,” Mountz wrote Tuesday in an e-mail.

Penn State’s Security Operations and Services office detected the breaches. University offices are closed for the holiday break until Jan. 4, and the school’s chief privacy officer, Sarah Morrow, did not immediately respond to telephone or e-mail messages seeking comment Tuesday.

Mountz said she did not have an exact timeline.

A 2006 state law mandated the university notify anyone whose “personally identifiable information is potentially disclosed when a computer is lost or compromised,” Penn State said in last week’s statement.

Earlier this month, Penn State said a computer at its Dickinson School of Law campus in Carlisle was infected. The school notified 261 students that their Social Security numbers were on an archived class list on the computer.

There was no evidence in that case that the information was obtained by unauthorized users, Penn State has said.