Hackers accessed a Michigan State University database with records for around 400,000 people in mid November. Names, MSU ID numbers and social security numbers were all part of the breach, which the school learned about only after the hacker sent an email seeking money on Nov. 13, 2016. The school announced the breach some five days later. According to a story in The National Law Review published on Dec. 5, 2016 the university identified the breach and took action, “limiting the hacker’s access to only 449 records.”
Though Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, cast doubt on that number in an interview for a story in the Lansing State Journal.
““If (MSU) couldn’t see their database was hacked in the first place, how much confidence can you put in the number of records accessed,” he asked, referring to the fact that MSU was notified of the hack by an alleged perpetrator.
This is MSU’s second data breach this year, and its fourth significant incident since 2012, according to cyber security blog Security Affairs. Ransom demands are increasingly common.
“Cybercriminals are shifting focus away from mass theft of payment card information and personal data — usually from large retailers and insurers — and are turning their focus to smaller, data dependent entities where stolen data or entire IT systems can be held hostage,” according to the National Law Review story.
Stephens argues in the Lansing State Journal story that there’s no need to maintain records for more than a few years after someone leaves, saying “MSU shouldn’t have maintained social security numbers.”
According to privacyrights.org, there have been over 800 data breach incidents at educational institutions and 15,000,000 records breached at educational institutions since tracking began.
A 2016 study funded by IBM found the average cost of a data breach for affected organizations is about $4 million. Between providing identity protection and enhancing its security systems, MSU estimates that it will spend $3 million in response to the attack, according to the Lansing State Journal story.
Are you covered for identity theft?
Image: Unsplash