Have you ever wondered how customers and clients feel in the aftermath of a breach?
I got one of those “Hello. We’ve been breached and your records may have been compromised.” letters in the mail the other day. While my experience as a network security writer doesn’t exactly make me the typical recipient of such a letter, I thought that my personal experience would provide organizations with the kind of reaction they may not normally get, and perhaps this will help someone better refine their post-breach action plan. You do have one already in place, right?
For some background, I worked at Penn State University many years ago, with a three-year stint in the College of Engineering in the early 2000s. I should also say that I’m a Penn State alumna, and I have close ties with the university, through my own activities and through relationships with family members. I’m also friendly with people who work in IT security capacities, as well as with people who work with highly sensitive research. So, when it was announced two weeks ago that Penn State’s College of Engineering was the victim of a sophisticated attack, the news was more than just the latest headline; it was personal.
According to eSecurity Planet, the attack occurred last fall:
On November 21, 2014, according to the university, the FBI alerted Penn State to a cyber attack on the College of Engineering network. The university then hired Mandiant to investigate the attack, and uncovered two previously undetected threat actors on the College’s network, at least one of which came from China. The earliest known date of intrusion was September 2012.
The article went on to say that 18,000 people would be notified that their records may have been compromised. I was one of them, and my letter stated, in part:
We have confirmed that a file or document containing your Social Security Number resided on a compromised system or computer within the College. Although Penn State is unaware of any attempted or actual misuse of your personal information, out of an abundance of caution, we are providing you notice of this incident.
The university is also offering a year of credit monitoring and advice on other steps to take.
My reaction to this letter? I didn’t know whether to laugh hysterically or scream loudly. (I did both.)
The letter explained the attack much the same as the eSecurity Planet article did. A secure Penn State website was created to explain the attack in greater detail, which includes a long letter from the school’s president and a FAQ that, quite frankly, doesn’t provide any answers. This website wasn’t included in the letter, which I believe was a huge mistake. At least the website attempts to answer some questions that the letter did not, primarily, why it took so long between discovery of the attack and notification of compromised records:
In order to protect the college’s network infrastructure as well as research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation. Any abnormal activity by individual users may have induced additional unwelcome activity, potentially making the situation even worse.
Okay, on one hand I understand that. On the other hand, my personal information may have been compromised months ago, and I could have been monitoring things more closely had I been told. And why didn’t it fall under Pennsylvania’s breach notification laws? Did an FBI investigation supersede that law?
I also wanted to know why my Social Security number was on the College of Engineering servers to begin with. First, that would be the type of data held by the human relations department, which is its own entity at Penn State. Second, why would that information still be held 12 years after my employment there ended? Does this mean my personally identifiable information is stored within the administrative offices and servers of other departments on campus with which I had spent time as both an employee and student?
The letter made me angry because it didn’t even begin to address the many questions I had, and it also had me shaking my head because I felt the letter was more to legally protect the university than anything. It never explained the steps that the university is taking to better address its security problems in the future. The only thing that the school has been vocal about in the aftermath of all of this is that it did not involve “inside” players, but I’m skeptical about that, too. Especially when someone like Frank W. Abagnale, who was profiled in the movie “Catch Me If You Can” and now works with the FBI on security breach investigation, says that he’s never investigated a breach without some inside component to it. It will be interesting to see if we ever find out what really happened.
I have too many ties with Penn State to cut it out of my life, and now I’m concerned about where the next security breach will happen and what other details about my or my family’s lives will be compromised. However, if this were some business I frequent, and I got a letter that told me it took years to reveal a breach where my PII was possibly compromised and then provided very few details and didn’t lead me to a location where I could get more information, I would be taking my business elsewhere—quickly.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba