A school might not seem like a likely target for cybercriminals, but the reality today is that anything connected to the Internet that contains personal data is at risk. Michigan State University is learning the hard way that the data on their servers is fair game.
On November 13th, an unknown attacker (or attackers) gained unauthorized access to an MSU database that contained records on 400,000 current and former students. They managed to exfiltrate personal information that included social security numbers, student ID numbers, and dates of birth.
The University has confirmed that only a fairly small number of records appear to have been accessed. Fox 2 News reports that just 449 out of the nearly half-million contained in the database. MSU’s response to the breach may have helped limit its impact. The database was taken offline shortly after the intrusion was detected.
Those affected have been notified. Like other companies and organizations that have seen social security numbers leaked in cyberattacks, MSU plans to offer free credit monitoring and identity theft protection to any students whose data was exposed.
School Increasingly Targeted
In late May of this year, the University of Calgary was victimized by cybercriminals. Their attackers weren’t after personally identifiable information (PII), however. They were after a massive ransom payment. After a protracted battle against the ransomware infection that encrypted important research data, the University opted to pay their attackers around $15,000 to make the problem go away.
McGill University’s Gabriella Coleman spoke with reporters from The Globe and Mail after the incident. An expert on hacker culture, Coleman said that she had been “sort of waiting for this.” Why? “Because universities are notorious for having terrible security,” Coleman added.
Earlier this year the University of Greenwich in England, U.C. Berkley, and the University of Central Florida were all hacked. Berkley had actually been hacked once before, way back in 2009.