Yesterday, Penn State University took the computer network of its engineering college offline while it works to free the system of sophisticated hacking that has gone on for more than two years. Penn State first became aware of the hacking in November of 2014 when it was informed of the hacking by the FBI. After an extensive investigation it was determined that the hacking was done by two separate groups. The first group was Chinese government hackers and the second, unrelated group, while not yet identified by investigators is thought to be another state-sponsored group. Russia and Iran have both been active in world wide hacking activities although neither has been specifically tied to this particular hacking.
American engineering schools, including MIT, and Carnegie Mellon, have been targets of Chinese state sponsored hacking for many years. The goal of these hackings have been to gain information for both commercial and national defense purposes.
The fact that the hackers had unrestricted access to Penn State’s engineering schools computer networks for more than two years raises the distinct probability that they were able to exploit this access in order to gain access to some or all of the 500 companies, government agencies and other universities tied to this computer network.
I have written many times of the extreme vulnerability of colleges and universities, which often gather and keep much personal information for which they have no real need, such as the Social Security numbers of applicants to the schools or Social Security numbers of alumni. Coupled with lax security at many colleges and universities, this gathering and keeping of personal information for which the schools have no need puts the people whose information is affected in great danger of identity theft. It is important for all of us to always inquire as to any company or agency that has personal information of ours as to what they do to keep this information secure. This also emphasizes the need for us all to be extremely vigilant in monitoring our accounts for early indications of identity theft.
As for the larger issues of both corporate data security and national security, it is of the highest importance for companies and the government to cooperate better in developing and implementing secure data protection systems.