Cyber Incident Victim: Penn State Health

On July 10, 2014, Penn State University disclosed a security incident involving a malware-infected computer within the Office of University Development and Alumni Relations at the Penn State College of Medicine. The compromised machine contained an archived 2005 alumni list with 1,176 Social Security numbers (SSNs), which the University had historically used as student identifiers before discontinuing the practice. Malware on the system enabled unauthorized external communication, though investigators could not confirm whether data exfiltration occurred. The infection was discovered through routine security monitoring, prompting immediate isolation of the affected computer from the network. The archived data had not been actively used since 2005, but its presence on an operational system created exposure risk under Pennsylvania's Breach of Personal Information Notification Act, which mandates disclosure even for potential compromises.

Upon containment, Penn State initiated breach notifications through mailed letters on July 10 to all potentially affected individuals, consistent with legal requirements. The notifications included identity theft prevention resources from the Federal Trade Commission and Pennsylvania Attorney General's office, along with contact information for further inquiries. University Privacy Officer Holly Swires emphasized the precautionary nature of the alerts, stating there was no evidence of actual data misuse but advising vigilance against identity theft. The Information Technology Services group performed forensic analysis, confirming the necessity to wipe and reimage the infected machine before network reintegration. This incident highlighted existing security protocols including University-wide scanning for personally identifiable information, mandatory antivirus software deployment, and emphasis on patch management and phishing awareness as standard defensive measures.