MSU data breach: Database with 400,000 records accessed

Michigan State University (MSU) has confirmed that on Nov. 13 an unauthorized party gained access to an MSU server containing certain sensitive data which included the personal identifying information of 400,000 individuals. The MSU data breach, characterized by the MSU President Lou Anna K. Simon as a,”criminal act in which unauthorized users gained access to our computer and data systems”.

Simon continued, “Only 449 records were confirmed to be accessed within the larger database to which unauthorized individuals gained access. However, as a precaution, we will provide credit monitoring and ID theft services for any member of our community who may have been impacted by this criminal act.”

MSU data breach

According to MSU, the database which was accessed contained the 400,000 records, each containing PII of faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, or were students between 1991 and 2016.. 

  • Names
  • Social Security Numbers
  • MSU identification numbers
  • Birth Dates

MSU noted, that the compromised records did not contain: passwords, financial, academic, contact, gift or health information. Apparently the information technology (IT) and information security (INFOSEC) teams had in place the ability to determine which records were opened during the period of “unauthorized access” and confirmed 449 of the 400,000 were confirmed to be accessed by the unauthorized party. 

Furthermore, unlike many instances where a data breach causes paralysis within the entity, the MSU data breach shows us the presence of an INFOSEC team, having a plan, and executing on that plan.

Education as a target

The education sector is and always will be a lucrative target from both unscrupulous entities, as well as nation states. The information desired ranges from the PII as targeted and captured in this instance for current or future use to make an approach to an individual to the advanced transformative research being conducted at the college or university.  The need to lock down the infrastructure across academia remains challenging.  According to the 2016 Voremetric Data Threat Report, the number one shortcoming to implementation of cybersecurity infrastructure within the educational sector is the lack of skilled IT/INFOSEC staff.

In 2015, NBC News produced a short piece on the a targeting the online infrastructure of the educational sector. The salient data points within the video remain as true today (2016) as they did when the piece was pulled together.