Universities are ripe targets: Michigan State University Compromised

Universities have been targets for years. There have been Universities that have been

compromised multiple times within a year. The attackers acknowledge there is a plethora of

knowledge available to be exfiltrated and later sold or used in an unauthorized manner. This

value may be rather substantial as this is sold on the dark web.

In late 2016, one of the latest targets was Michigan State University. The University was

breached on November 13, 2016. The data exfiltrated included the social security number, MSU

ID number, and employee’s date of birth. Fortunately, the database compromised did not

contain other information, which would have made the situation must worse. This would have

included passwords, or information regarding the persons financial, academic, contact, gift, or

health data. The breach involved 449 records which were exfiltrated. These were only a portion

of a database with over 400K records. The attacks sent MSU an email in an attempt to extract a

payment from the University.

Post-Breach Actions

The University took this rather seriously, which is a good thing. Too often the affected

party has a quick knee-jerk reaction. The University worked through the issue and did not pay

the “requested” fee. After this decision, the University began to notify the affected parties,

consisting of students, alumni, staff, and faculty. The University did post a website with the

updated information regarding the compromise. The usual disclaimer was also published with

this. The University, to their benefit, is providing two-years of identity theft protection, fraud

recovery, and credit monitoring for free.

Lesson Learned

Data is pertinent and valuable to different persons, for different reasons. The attackers

focused on this, naturally. The areas holding these need to be secured, and subnet the

segments where possible. The dB with confidential data should be reviewed with regularity,

along with the logs. This is used to limit exposure, from a time perspective. With checking the

logs regularly, the authorized staff is able to note when a compromise would have occurred

more sooner than later. An attacker with free reign for several months has a greater potential

for creating issues, than someone who has been noticed within a week.

Resources

Mencarini, M. (2016, November 21). MSU: Names and social security numbers accessed in data

breach. Retrieved from http://on.freep.com/2g6BwmR

Mencarini, M. (2016, November 22). Michigan state university confirms data breach of server

containing 400,000 student, staff records. Retrieved from

http://www.wxyz.com/news/michigan-state- university-confirming- data-breach- of-server-

containing-400000- student-staff- records

Miller, F. (2016, November 18). Update: MSU spokesman says hack was an extortion attempt.

Retrieved from http://www.wix.com/content/news/MSU-data- breach-exposes- records-of-

current-and- former-students- employees-401946226.html

WXYZ. (2016, November 22). Michigan State University confirms data breach of server

containing 400,000 student, staff records. Retrieved from

http://www.wxyz.com/news/michigan-state- university-confirming- data-breach- of-server-

containing-400000- student-staff- records

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Featured Posts
Posts are coming soon
Stay tuned...
Recent Posts
Archive
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square