Universities are ripe targets: Michigan State University Compromised
Universities have been targets for years. There have been Universities that have been
compromised multiple times within a year. The attackers acknowledge there is a plethora of
knowledge available to be exfiltrated and later sold or used in an unauthorized manner. This
value may be rather substantial as this is sold on the dark web.
In late 2016, one of the latest targets was Michigan State University. The University was
breached on November 13, 2016. The data exfiltrated included the social security number, MSU
ID number, and employee’s date of birth. Fortunately, the database compromised did not
contain other information, which would have made the situation must worse. This would have
included passwords, or information regarding the persons financial, academic, contact, gift, or
health data. The breach involved 449 records which were exfiltrated. These were only a portion
of a database with over 400K records. The attacks sent MSU an email in an attempt to extract a
payment from the University.
Post-Breach Actions
The University took this rather seriously, which is a good thing. Too often the affected
party has a quick knee-jerk reaction. The University worked through the issue and did not pay
the “requested” fee. After this decision, the University began to notify the affected parties,
consisting of students, alumni, staff, and faculty. The University did post a website with the
updated information regarding the compromise. The usual disclaimer was also published with
this. The University, to their benefit, is providing two-years of identity theft protection, fraud
recovery, and credit monitoring for free.
Lesson Learned
Data is pertinent and valuable to different persons, for different reasons. The attackers
focused on this, naturally. The areas holding these need to be secured, and subnet the
segments where possible. The dB with confidential data should be reviewed with regularity,
along with the logs. This is used to limit exposure, from a time perspective. With checking the
logs regularly, the authorized staff is able to note when a compromise would have occurred
more sooner than later. An attacker with free reign for several months has a greater potential
for creating issues, than someone who has been noticed within a week.
Resources
Mencarini, M. (2016, November 21). MSU: Names and social security numbers accessed in data
breach. Retrieved from http://on.freep.com/2g6BwmR
Mencarini, M. (2016, November 22). Michigan state university confirms data breach of server
containing 400,000 student, staff records. Retrieved from
http://www.wxyz.com/news/michigan-state- university-confirming- data-breach- of-server-
containing-400000- student-staff- records
Miller, F. (2016, November 18). Update: MSU spokesman says hack was an extortion attempt.
Retrieved from http://www.wix.com/content/news/MSU-data- breach-exposes- records-of-
current-and- former-students- employees-401946226.html
WXYZ. (2016, November 22). Michigan State University confirms data breach of server
containing 400,000 student, staff records. Retrieved from
http://www.wxyz.com/news/michigan-state- university-confirming- data-breach- of-server-
containing-400000- student-staff- records
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.