175 told of possible computer security incident at Purdue

April 24, 2007

Press Release

http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html



WEST LAFAYETTE, Ind. - Purdue University is informing 175 people who were students in fall 2001 that a Web page containing information about them was inadvertently available on the Internet.

The page, which was no longer in use but was on a computer server connected to the Internet, contained names and Social Security numbers of students who were enrolled in a freshman engineering honors course and were scheduling to meet with advisers. Although forgotten, the page had been indexed by Internet search engines and consequently was available to individuals searching the Web.

The page has been removed and, at Purdue's request, Yahoo and Google have removed the page from their indexes and cache. Letters are in the mail to those potentially affected.

"We have no direct evidence that any unauthorized person downloaded data or used it for illegal purposes, but we are trying to alert every individual whose information was in the file," said Kamyar Haghighi, head of the Department of Engineering Education.

Because the information in the document is more than five years old, the College of Engineering worked with the university's registrar's office and alumni association to acquire current addresses. Anyone who does not receive a letter but believes he or she may have been in the affected group can contact Purdue toll-free at (866) 307-8513 to inquire. More information about the incident also is available online at http://www.purdue.edu/news/coe0704.html . At the site, there are links to the Federal Trade Commission, where a complaint about fraud or identity theft can be filed, as well as links to apply for a credit report.

Under university policy, Social Security numbers are no longer used except where required by law. Instead, all students, alumni, faculty and staff, and others whose records are kept for business reasons are assigned a Purdue identification number.

"For decades it was accepted practice to gather and keep on file Social Security numbers because that was the standard means of keeping records on individuals," said Scott Ksander, chief information security officer in the Office of the Vice President for Information Technology at Purdue. "With the need to rely on computers for keeping records of all kinds and the presence of criminals intent on finding ways to access data, we have aggressively moved away from earlier practices in order to safeguard records and identities."

In addition, Purdue also has a large-scale program called SecurePurdue under way to improve security.

Information security staff throughout the Purdue system share best practices and steps for remediation in the event of a break-in. To head off this threat, faculty and staff are instructed to install the latest security programs and to enable automatic updates of security utilities.

A number of steps have been taken to prevent security breaches in recent years. This fall, work began on a system to better detect and prevent intrusion into campus computer networks. The initiative includes expanded availability of anti-spyware software and intensive training for campus systems administrators.


main page ATTRITION feedback