Pennsylvania State University announced Friday that the university has disconnected its networks from the public after suffering a two year long data breach in their College of Engineering. Penn State President, Eric J. Barron, said it will be a number of days before Penn State turns its network back online, opening it to the public.
Penn State was notified of the ongoing two year attack after the FBI had alerted the university back in November 2014. FBI officials warned of “a cyberattack of unknown origin and scope” perpetrated by “an outside entity” targeting the school.
Following FBI alerts, the university hired a third-party network forensics, incident response and data breach firm, Mandiant, whose forensic analysis revealed several advanced hackers had breached Penn State’s network years ago. Two advanced threats identified on the network were found dropping persistent malware on the Penn State network. One of the two threats, Penn State themselves announced, is believed to be of Chinese origin.
Penn State University claims that despite hackers two year spree on the university network, attackers did not steal any valuable information or sensitive research, including any personally identifiable information. Students credit cards, Social Security numbers, IDs among other personal information were not breached according to the school.
The schools claim isn’t entirely true, as Penn State is notifying 18,000 students affected by the breach, after forensic investigators discovered a file containing 18,000 students Social Security numbers in plain text.
Further underplaying the breach, Penn State insists that hackers only stole network access credentials for the university. Attackers then abused those credentials to breach the school network and steal student information. College faculty, staff and students visiting the Penn State website are being required to change their passwords, and anyone accessing the site from a VPN will be required to setup two-factor authentication.
Penn State waited over seven months to disclose the network breach, disclosing vague details on how attackers were able to compromise the engineering department systems. All statements being pushed by the university or any press requests exclude any and all information regarding how the attack was executed.
“In order to protect the college’s network infrastructure as well as research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation,” Penn State said in the breach FAQ. “Any abnormal activity by individual users may have induced additional unwelcome activity, potentially making the situation even worse.”
Penn State has denied hundreds of media inquiries, replying with vague responses regarding the recent breach.
The University estimates it has spent roughly $2.85 million dealing with the recent cyberattack. Penn State paid some $450,000 for third-party forensic experts to identify the scope of the breach and has spend the remaining $2.4 million on replacing infected hardware.