Data breaches slam campuses this summer


Penn State said in an announcement June 2 that the compromised computer “had at one time contained a database of Social Security numbers for official use by the university. The database was removed when Penn State stopped using [Social Security numbers] in 2005, but an archived copy remained undetected in the computer’s cache.”

The latest botnet attack at Penn State wasn’t the university’s first experience with malware. Penn State announced in December that bots had exposed information for about 30,000 students when computers across the campus were compromised.

Internet security experts say campus IT officials should stop using students’ Social Security numbers as identifications, because about 5,900 known botnets have stolen valuable information from computers in many sectors, including higher education.

Shadowserver, an organization that tracks botnet incidents in governments, education, and the private sector, unveiled the running tally of botnets days before security firm Symantec released a report March 2 showing a 5.5 percent hike in spam eMail last month, spurred mostly by botnets.

Spam now accounts for 90 percent of all eMail sent within the U.S., Symantec said.

Peyton Engel, a technical architect for CDW-G, said colleges and universities find it easy to identify students by their Social Security numbers, but as botnets and viruses become more dangerous and difficult to detect, campus IT staff should assign students random numbers generated by an algorithm.

It’s not a solution to stopping botnet attacks, Engel said, but if hackers find student ID numbers that don’t correspond to Social Security numbers, damage can be mitigated.

“They haven’t found how to prevent the incident,” he said. “But they just made it so that it’s not as damaging [if a botnet attacks].”