May 15, 2015
Pennsylvania State University said on Friday two cyberattacks on its College of Engineering compromised servers containing personal information on about 18,000 people.
Penn State said there was no evidence that research data or personal information, such as social security or credit card numbers, had been stolen.
The first time Penn State knew about the breach was in November, when the Federal Bureau of Investigation alerted the university, Penn State executive vice president Nicholas Jones said.
An investigation has been ongoing since then.
Cybersecurity firm FireEye Inc.'s forensic unit, Mandiant, hired by Penn State after the breach was discovered, said the first attack took place in September 2012, and the second in mid-2014.
Mandiant confirmed that at least one of the two attacks was carried out by a "threat actor" based in China, Penn State said.
"Cyberattacks like this - sophisticated, difficult to detect and often linked to international threat actors - are the new normal. No company or organization is immune," Nick Bennett, senior manager at Mandiant, told Reuters.
Penn State said investigators found that a number of college-issued usernames and passwords had been compromised but only a small number had been used to access its network.
The university said the College of Engineering's computer network has been disconnected from the Internet and attempts were on to recover all systems.
The outage is expected to last for several days, and the effects will largely be limited to the College of Engineering, Penn State said.
Learn more about the incident, including information for affected faculty, staff and students.