Students received an email from Michigan State University administration on Monday informing them of a data breach which may have led to unauthorized access of MSU community members’ personal data.
While MSU’s own systems weren’t breached, two companies that MSU shares student and employee data with were. The National Student Clearinghouse (NSC), an organization that provides MSU and other universities with educational reporting, verification and research services, and the TIAA, which provides some MSU retirees and staff with retirement plan accounts, are just two of hundreds of companies whose data was stolen in a massive cyber-attack last month.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified the cybercriminal gang known as “CL0P” as the culprit of the attack. The group took advantage of a vulnerability in the widely-used file transfer platform “MOVEit” to access data from some of the biggest names in business.
While it’s unknown how much data was stolen from MOVEit’s clients, it’s estimated CL0P will gain around $75-$100 million from ransom payments. After the attack was executed, the group threatened they would release the data publicly if victims didn’t pay.
They stayed true to their word. A few days ago, CL0P leaked a portion of the data online.
Rick Wash, a professor in MSU’s media and information department, said it’s not clear what information CL0P potentially has on MSU students and employees, or whether it will ever be released publicly. Since the group has taken massive amounts of data, they likely don’t have the time to sort through it to find what's most valuable.
“It’s not great for us, but it’s not as bad as it would be if they were specifically doling out the bad pieces of data and selling it,” said Wash.
MSU deputy spokesperson Dan Olsen told The State News in an email that “both the NSC and TIAA are still assessing what specific types of personal data (PII) were included in the breach.”
The two companies will provide MSU a list of any students or retirees whose information might have been exposed, according to the email community members received on Monday. NSC hopes to have this information in the next few weeks.
Wash said that working with third-party companies that are at times vulnerable to cyber attacks is necessary for institutions like MSU.
“It’s part of the interconnected world we live in right now,” he said.