Michigan State University confirms data breach of server containing 400K records

Blog Post
Michigan State University announced last Friday, November 18, that on November 13 unauthorized users gained access to university computer and data systems containing about 400,000 records of sensitive personal information of current and former students and employees, including names, Social Security numbers, MSU identification numbers, and in some cases date of birth. MSU states the database did not contain passwords, financial, academic, contact, and gift or health information.

University spokesperson Jason Cody states that hackers sent an email to the university with an attempt to extort money. MSU states that the university did not pay and did not lose access to any of the affected records. MSU also states the database was taken offline within 24 hours of the unauthorized access. MSU’s press release states its IT team “rapidly determined the cause and nature of the breach,” although this information is not shared in the press release or on its data security page. MSU states it is working with federal law enforcement to investigate the crime.

MSU states as a result of this incident it has accelerated IT security projects for key risk areas and is launching a comprehensive investigation of information systems. MSU is holding a series of information sessions and seminars on data security and identity theft protection.

On its data security website, Michigan State University’s President Lou Anna K. Simon states “only 449 records were confirmed to be accessed within the larger database to which unauthorized individuals gained access.” MSU states the database the unauthorized party had access to contained records of the following two groups:
  • All faculty, staff and students who were employed by MSU between 1970 and November 13, 2016
  • Students who attended MSU between 1991 and 2016
MSU has attempted to notify all students, alumni, staff and faculty who were affected by sending email notifications, posting information on its social media channels, sending notices by mail to the last known US postal address of all affected individuals, and distributing a news release to media outlets. If you have not received a notification letter and believe you may be an impacted individual, MSU directs individuals to call 1-855-231-9331.

Starting Nov. 22, 2016, MSU is providing credit monitoring and ID theft protection services for any member of their community who may have been impacted by the “criminal act.” Individuals are directed to contact AllClearID, the entity that is providing the credit monitoring services, at msu.allclearid.com or call 1-855-231-9331 to enroll.

MSU has set up a dedicated website to provide information and updates. MSU also included FAQs on their data security website with information regarding the incident and states it will provide updates.

MSU’s incident is another example that all entities in all industries need to be prepared. It is not a question of IF your entity will experience a data incident it is a matter of WHEN. Now is a great time to conduct a data privacy and cybersecurity review to ensure you have the proper policies and procedures, including a written information security plan and incident response plan. Having the proper policies and procedures in place and training personnel is required for a successful data privacy and cybersecurity program.

Related Industries

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.