Minnesota-based Metropolitan State University has issued a notification, alerting faculty, staff and students that an attacker may have breached its web server to access a database that contained their personal information.
How many victims? Insufficient information, as of Friday.
What type of personal information? Employee Social Security numbers are among the personal information. Financial and credit card data is not believed to have been on the server.
What happened? An attacker may have breached a Metropolitan State University web server to access a database that contained the personal information of faculty, staff and students.
What was the response? Minnesota State University ran a third party security vulnerability scan of its website, and quickly made fixes to its servers and website to address vulnerabilities. The university established new data access controls, prepared a new server to host its website, began correcting code to allow successful transition of website content, established new network security controls, and enabled logging to monitor access. An investigation is ongoing.
Details: The initial investigation suggests the attack occurred in mid-December 2014. Metropolitan State University learned about the incident on Jan. 2. Metropolitan State University is a part of the Minnesota State Colleges & Universities (MnSCU) system, which participates in a private information sharing community. That service notified MnSCU – which in turn notified Metropolitan State University – of a blog posting by an individual who claimed to have accessed numerous websites and data servers.
Quote: “As of [Friday], there is insufficient information to know for certain who was affected,” according to a FAQ posted to the Metropolitan State University website. “We are still in the process of confirming whether data present on the server was in fact accessed.
Source: metrostate.edu, “Metropolitan State University Likely Data Breach Q & A,” Jan. 16, 2015; metrostate.edu, “Important Information about likely Metropolitan State Data breach and Web Site Impact,” Jan. 16, 2015.