MSU: Employee Social Security numbers at risk

[Erica Absetz <erica () riskbasedsecurity com>]

http://missoulian.com/news/state-and-regional/montana/msu-employee-social-security-numbers-at-risk/article_ac4e2c92-86af-59e4-ae0c-c7ef88a18fd4.html

The Social Security numbers of about 4,500 past and present Montana
State University employees may have been accessible to others because
of a computer virus, school officials said.

The Bozeman Daily Chronicle reports (http://bit.ly/128cVxn) that the
school earlier this month mailed out letters warning of the problem,
which was discovered March 5.

"There's no evidence this information was grabbed and taken," said
Montana State spokesman Tracy Ellig. "To date, we've not had reports
of any individuals having problems."

The employees have been offered a free one-year subscription to a
service designed to detect identity theft, said Ellig, who signed up
for the service.

The latest security lapse follows another in December 2012 when the
school found that birth dates, Social Security numbers, student loans
and worker compensation forms had been available online and
unencrypted for six weeks the previous summer.

Ellig said the school hired an outside computer forensics company to
analyze the hard drive of a computer in the human resources
department. The analysis found malicious software capable of getting
access to names and Social Security numbers. The company couldn't find
evidence that any information had been taken.

Ellig said names and Social Security numbers of employees are supposed
to be kept on a secure server that requires a password, and not
downloaded on individual computers.

The school has now installed identity-theft software that searches
individual desktop computers on campus.

"Information can end up on computers and the users do not realize it's
there," Ellig said. "We're going through and trying to flag every
computer that might have identity information."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.