Hacker accesses Michigan State University database in reported extortion attempt

Michigan State University on Friday confirmed that an unauthorized party accessed a university server containing sensitive data pertaining to current and former students, faculty and employees.

How many victims? Of the 400,000 records stored on the breached database, 449 were confirmed accessed by the hacker. According to the East Lansing, Mich.-based university, there is no evidence indicating that the remaining records were affected. The full database includes information on faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, and students who attended between 1991 and 2016.

What type of information? Names, Social Security Numbers and MSU identification numbers, and in some cases dates of birth. The server did not contain passwords or financial, academic, contact or health information.  

What happened? University spokesman Jason Cody told the Lansing State Journal that MSU became aware of the Nov. 13 breach after the hacker or hackers responsible sent an email to the university in an “attempt to extort money.” MSU took the affected database offline within 24 hours of the intrusion and, according to Cody, the university neither paid the ransom, nor lost access to any records.

What was the response? MSU has begun reaching out directly to all individuals listed in the database via email, social media, mail and a news release. All 400,000 students, alumni, staff and faculty members are eligible for two years of free identity theft protection, fraud recovery and credit monitoring. The university also stated that it will conduct a thorough investigation into its information systems, accelerate IT security projects for key risk areas, hold a series of data security seminars, and continue to work with national experts to improve overall campus security.

The university recommended that affected individuals who suspect they are victims of fraud or ID theft report unauthorized activity to police, using the MSU police incident report reference number 1658103881.

Quote: “At Michigan State University, we are committed to data and privacy protection. Regrettably, we were recently the target of a criminal act in which unauthorized users gained access to our computer and data systems,” said President Lou Anna Simon in a statement. “Information security is a top priority of our university, and we know the frustration this is causing members of our community. “

Sources: A Michigan State University incident advisory and information webpage, and the Lansing State Journal.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.