Cyberattack on Penn State exposes passwords of 18K people

The university's president apologizes for a "sophisticated" security breach that it says involved an attack launched from China.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read

Pennsylvania State University's College of Engineering says it was the victim of a "sophisticated" cyberattack. Getty Images

Pennsylvania State University's College of Engineering revealed Friday that it has been the target of two "highly sophisticated" cyberattacks over the last two years.

University President Eric Barron issued an apology Friday that said usernames and passwords from more than 18,000 people may have been accessed. However, investigators did not find evidence that credit card and social security numbers were stolen, Barron said. Another statement from the school said a security company hired by the university to investigate the attacks concluded that at least one of the assaults originated from China.

"We all will need to take additional steps to protect ourselves, our identities and our information from a new global wave of cybercrime and cyberespionage," Barron said in his statement. "Well-funded and highly skilled cyber criminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property."

This assaults are the latest in a long line of cyberattacks on US universities. Hacks into databases at the University of California, Los Angeles, the University of Southern California and the University of Maryland have exposed the personal information of hundreds of thousands of people. Barron said that on average Penn State "repels" more than 22 million cyberattacks from around the world every day.

"In this particular case we are dealing with the highest level of sophistication," Barron said. "Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure."

The FBI first alerted the university of the cyberattack in November 2014. The school then hired security firm FireEye and its cybersecurity forensic unit Mandiant to investigate the breach. It was through this investigation that Penn State discovered at least one of the two attacks was based in China, the university said.

Various security experts have long accused China of waging a cyberwar on US businesses. A report by Mandiant released in 2013 linked China's People's Liberation Army to a large number of cyberattacks on US soil. However, the Chinese government has flatly denied that it is involved in cyberespionage or hacking.

The school has notified about 18,000 individuals that some of their personal information may have been breached -- most notably their Social Security numbers and College of Engineering-issued usernames and passwords. Penn State is offering those people one year of free credit monitoring. The school is also notifying roughly 500 public and private research partners about the breach.

"Advanced cyberattacks like this -- sophisticated, difficult to detect and often linked to international threat actors -- are 'the new normal,'" said Nick Bennett, Mandiant's senior manager of professional services. "No company or organization is immune -- the world's leading banks, energy companies, retailers and educational institutions have all been and will be targets."

While the College of Engineering recovers its systems, it has disconnected its computer network from the Internet. Barron said he believes the network will be back up in several days.