Penn State University is notifying roughly 18,500 individuals and public and private research partners that their personal information may have been compromised by two threat actors that were identified on the College of Engineering network, one of who appears to be based in China.
How many victims? About 18,000 individuals whose information was discovered in files on affected machines in the College of Engineering. About 500 public and private research partners who have executed contracts with College of Engineering faculty.
What type of personal information? Social Security numbers were among the personally identifiable information.
What happened? Two threat actors were identified on the Penn State College of Engineering website – one of who appears to be based out of China – that could have gained access to the personal information.
What was the response? Penn State is in communication with the FBI, and retained the services of Dell SecureWorks and, later, Mandiant to carry out an investigation and aid in remediation.
The College of Engineering was disconnected from the internet in order to allow a large-scale operation to upgrade affected computer hardware and fortify the network against future attacks. The outage is expected to last for several days, but cause minimal disruption to the rest of the Penn State community.
Two-factor authentication on major University systems, stronger password management practices and enhancements to system and software administration are being implemented. All College of Engineering faculty and staff at University park, as well as students at Penn State campuses who recently took at least one engineering course, are being required to choose new passwords for their Penn State access accounts. All potentially impacted individuals are being notified, and offered a free year of credit monitoring services.
Details: Penn State was tipped off by the FBI on Nov. 21, 2014, of suspicious cyber activity directed at computers in the College of Engineering. An investigation revealed two threat actors on the network, and later analysis by Mandiant revealed that one threat actor is based in China. Analysis revealed the earliest known date of attack in September 2012. The threat actors used custom malware and other tactics to infect the College of Engineering's network and computer systems. Evidence shows that a number of College of Engineering-issued usernames and passwords were compromised, and that a small number of the accounts were used by the attackers to access the network.
Penn State has no evidence that research data or personally identifiable information, such as Social Security or credit card numbers, have been stolen.
Quote: “In order to protect the college's network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation,” according to a message from Eric Barron, president of Penn State.
Source: securepennstate.psu.edu, “Secure Penn State,” May 15, 2015.