Penn State Investigates Malware Attack

Penn State University has notified nearly 30,000 people that their Social Security numbers may have been placed at risk after three school computers became infected with malware, The Pittsburgh Post-Gazette reported.

The breach occurred in archived files that were “essentially hidden” deep within the computer system, and there’s no evidence they were accessed by anyone, university spokeswoman Annemarie Mountz said, according to The Daily Collegian.

The malware was discovered by Penn State’s security operations division, and the breach was announced Dec. 23. The school mailed letters to those affected as a precaution.

“Even when theft is only a remote possibility, we alert anyone who may have been affected, and arm them with information and steps to take to mitigate their risk,” Sarah Morrow, Penn State's chief privacy officer, said in a statement.

The mailers also included an educational brochure about identity theft.

The Post-Gazette quoted an identity theft expert who said that despite PSU’s assurances, it appears that “they don’t know whether the malware worked or not.” That’s from Jay Foley, executive director of the Identity Theft Resource Center in San Diego.


Foley advises people who received one of the school notification letters to place fraud alerts on their credit reports. This can be done by contacting each of the three major credit-reporting agencies — TransUnion, Equifax and Experian. By attaching a fraud alert to your account, the companies generally will contact you anytime you (or someone identifying themselves as you) try to open up a new account for a credit card, cell phone or other service.

A fraud alert is only the starting point to protecting yourself, however: You should monitor your credit reports and your Social Security statement to watch out for any suspicious or unauthorized activity.