Whoever hacked into a Michigan State University database earlier this month “found the Holy Grail," according to one security expert.
Names and MSU identification numbers were exposed along with social security numbers, which are extremely valuable to criminals, said Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse.
Armed with social security numbers, a criminal could open up new credit cards or file someone’s taxes and collect their refund. And unlike having a credit card number exposed, consumers can’t simply call their bank and have the account closed, Stephens said.
Between providing identity protection and enhancing its security systems, MSU estimates that it will spend $3 million in response to the attack.
The potential for identity theft underscores why institutions like MSU shouldn’t hold onto these records for more than a couple years after someone leaves, Stephens added.
“There’s no need to maintain certain data elements,” Stephens said. “And MSU shouldn’t have maintained social security numbers.”
MSU spokesman Jason Cody defended MSU’s record keeping, saying the university needs the records because it maintains “ongoing relationships with members of our community long after they leave us.”
MSU also keeps extensive records for current and past employees who collect benefits through MSU, Cody added.
The compromised database did not include passwords or financial, academic, contact or health information.
An email from the alleged hacker seeking money arrived on Nov. 13, alerting the university to the data breach, Cody said. Some 400,000 records for current and former students and staff were on the exposed database. MSU first announced the breach and began alerting those affected five days after finding out about the attack and about an hour before most banks close for the week.
Defending the amount of time between the attack and the alert, Cody said law enforcement officials needed to be contacted and the cause of the attack needed to be identified to prevent further attacks. MSU's timeframe “wasn’t particularly egregious,” according to Stephens.
While MSU may review its data policies in response to the breach, there are no current plans to change what information is kept, Cody said. Forensic experts from MSU, alongside law enforcement, confirmed only 449 of the 400,000 exposed records were accessed.
Stephens cast doubt on that figure.
“If (MSU) couldn’t see their database was hacked in the first place, how much confidence can you put in the number of records accessed,” he asked, referring to the fact that MSU was notified of the hack by an alleged perpetrator.
MSU officials have signed a contract with AllClear ID to provide identity protection for anyone whose records were on the compromised database.
A recent study funded by IBM found the average cost of a data breach for affected organizations is about $4 million.
More than 5,200 data breaches have been made public since 2005, according to Privacy Rights Clearinghouse, exposing some 900,000,000 records. MSU is targeted, "hundreds of thousands of times" a month by digital attacks, Cody said, from attempted breaches to malware emails.
After the email arrived, MSU immediately contacted law enforcement and began investigating how the breach occurred, Cody said. The database was taken offline within 24 hours. MSU has determined the breach was caused by a piece of licensed software.
Those affected include students who attended MSU between 1991 and 2015 and faculty, staff and students employed by the university between 1970 and Nov. 13.
Despite never working for or attending MSU, Jeff Kussow said he received a letter from MSU saying his records were part of the breach.
“In fact, I've never set foot on the campus and don't recall enrolling in anything they've offered, even online,” Kussow wrote in an email.
Applying to graduate school at in the mid-1990s was the only contact Kussow remembers having with MSU.
Cody said there's no reason to believe information from applicants was on the compromised database. A handful of people like Kussow have contacted MSU in the past week after receiving letters despite no connection to MSU. Cody chalked it up to someone having the same name as someone who did attend or work for the university.
MSU began sending out emails and letters about the hack Nov. 18, Cody said. Anyone whose data was comprised is advised to visit msu.edu/datasecurity to sign up for identity protection. Those wishing to know if they were affected by the breach or wanting to sign up for identity protection should call 1-855-231-9331.
Stephens advised those affected to sign up for additional credit monitoring and file their taxes early to prevent a criminal from claiming their refund.
In 2014, the University of Maryland took about a day to disclose a data breach that included some 300,000 personal records. That same year, Target waited close to two months to let customers know of a breach that affected millions of customers. Ohio State University took about a month in 2010 to disclose that some 760,000 people had their data exposed and were at risk of identity theft.
Cody said further details about the breach, including where it came from, aren't yet known. A criminal investigation is ongoing.