An email sent to Michigan State University last weekend attempting to "extort money" helped the university identify a data breach that affected about 400,000 records and included names, Social Security numbers and MSU identification numbers, a university spokesman said Friday evening.
The affected database was accessed on Sunday and was taken offline within 24 hours of the hack, according to a university statement. The database contained about 400,000 records, but the university said records for only 449 people were confirmed to have been accessed.
University spokesman Jason Cody said the hacker or hackers sent an email to the university and "there was an attempt to extort money." He added that the university didn't pay any money and didn't lose access to any affected records.
Cody said the email helped the university identify the breach and that he isn't sure if there was additional communication from the hacker or hackers.
"At Michigan State University, we are committed to data and privacy protection," according to a statement on the school's website. "Regrettably, we were recently the target of a criminal act in which unauthorized users gained access to our computer and data systems. Information security is a top priority of our university, and we know the frustration this is causing members of our community."
Cody said the university police department, with its computer forensics team, is leading the criminal investigation and is being assisted by federal law enforcement.
The breach was disclosed Friday, Cody said, because the university needed to confirm what information was accessed, who might be affected and set up resources for those affected before it was disclosed.
The affected database contained records for all faculty, staff and students who were employed by the university between 1970 and Nov. 13, and all students who attended the university between 1991 and 2016.
Social Security numbers, university identification numbers and in some cases, dates of birth were in the database, the university said. However, MSU said no passwords or financial, academic, contact or health information was compromised.
The university is offering to pay for two years of identity theft protection, fraud recovery, and credit monitoring for affected individuals. For enrollment details call 1-855-231-9331 or visit https://msu.allclearid.com.
The university also set up a webpage to provide additional information and updates on the data breach. It can be found at www.msu.edu/datasecurity.
It's the second high-profile cybersecurity incident in the region this year. The Lansing Board of Water & Light was the victim of an April 25 ransomware attack that crippled its internal network and forced it to pay a $25,000 ransom. The event cost the utility around $2 million for technical support and equipment to upgrade their security, according to financial records.