Purdue Notifies Students of Potential Security Breach

September 22, 2006

InsideINdianaBusiness.com Report


Purdue University is notifying more than 2,400 people that were students in 2000 that a computer containing their personal information may have been accessed remotely by unauthorized people.

The possible breach was discovered during a security check of an administrative workstation in the Department of Chemistry. Officials say software may have been installed remotely on the hard drive to permit the files containing names and social security numbers to be downloaded.

WEST LAFAYETTE, Ind. - Purdue University is informing people who were students in 2000 that a single desktop computer containing information about them may have been accessed by unauthorized individuals.

The possibility was discovered this month during a security check of an administrative workstation in the Department of Chemistry. The incident involved a file dated Feb. 4, 2000, that contained personal identifying information, including Social Security numbers, names, school, classification, major and e-mail addresses for 2,482 students. A total of 2,672 records were involved, but some did not contain Social Security numbers.

According to a preliminary analysis of the computer, an unauthorized person may have gained access to the hard drive remotely and installed software that would have permitted files to be downloaded.

"We have no direct evidence that any unauthorized person viewed or downloaded data, but we know that the computer had been compromised," said Jeffrey Vitter, dean of the College of Science, in which the chemistry department is located. "We are trying to alert every individual whose information was in the file."

Because the information in the document is six years old, the College of Science worked with the Purdue University Development Office to acquire current addresses. Anyone who does not receive a letter but believes he or she may have been in the affected group can contact Purdue at (866) 307-8520 to inquire. More information about the incident also is available online. At the site, there are links to the Federal Trade Commission, where a complaint about fraud or identity theft can be filed, as well as links to apply for a credit report.

Under university policy, Social Security numbers are no longer used, except where required by law. Instead, all students, alumni, faculty and staff, and others whose records are kept for business reasons are assigned a Purdue identification number.

"For decades, it was accepted practice to gather and keep on file Social Security numbers because that was the standard means of keeping records on individuals," said computer forensic expert Scott Ksander, interim executive director for networks and telecommunications in the Office of the Vice President for Information Technology at Purdue. "With the need to rely on computers for keeping records of all kinds, and the presence of criminals intent on finding ways to access data, we have moved away from earlier practices in order to safeguard records and identities."

In addition, Purdue also has a large-scale program called SecurePurdue under way to improve security. It was because of the system testing called for by this program that this potential exposure was detected and corrected, Ksander said.

Information security staff throughout the Purdue system share best practices and steps for remediation in the event of a break-in. To head off this threat, faculty and staff are instructed to install the latest security programs and to enable automatic updates of security utilities.

A number of steps have been taken to prevent security breaches in recent years. This fall, work began on a system to better detect and prevent intrusion into campus computer networks. The initiative includes expanded availability of anti-spyware software and intensive training for campus systems administrators.


The following steps can help guard against identity theft:

. Carefully watch financial statements and credit reports statements to check for entries that you do not recognize or any new accounts opened in your name.

. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission recommends that you check your credit reports periodically. Identity theft information sometimes is held for use later or shared among a group of thieves for use at different times.

. Check your credit reports periodically, alternating among the three credit agencies every four months.

. Contact one of the three credit reporting agencies to put a fraud alert on your file. (When you request this from one agency, the other two will also put an alert on your file.) All three credit reporting agencies can be accessed online. To request your credit report by phone, call (877) 322-8228; your reports will be mailed to you.

. If you think you have been the victim of fraud or identity theft, contact the Federal Trade Commission to file a complaint or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible by law enforcement agencies for their investigations. The FTC also will advise you on further steps to take in the event your information is being used illegally.

. Download the FTC's comprehensive 26-page booklet "ID Theft: When Bad Things Happen to Your Good Name,". To obtain a copy by mail, or if you have questions or concerns, please contact Purdue's College of Science at (765) 494-1764.

main page ATTRITION feedback