Wednesday, February 28, 2024

Social security numbers, MSU IDs accessed during third-party MSU data breach

October 12, 2023
<p>Then-senior Johnny Mocny studies on his computer during a break at work on Sept. 2, 2020.</p>

Then-senior Johnny Mocny studies on his computer during a break at work on Sept. 2, 2020.

Photo by Annie Barker | The State News

A third-party data breach led to unauthorized access of a “handful” of Michigan State University students’ personal data, including social security numbers and MSU IDs, university deputy spokesperson Dan Olsen told The State News on Tuesday. 

The students whose data was compromised were notified by MSU on Aug. 17. However, the details regarding what data was accessed during the breach were not made public at the time. 

Since the number of those affected was so few, Olsen said he could not share exactly how many students were directly impacted out of privacy concerns. 

MSU shares student data with the National Student Clearinghouse, or NSC, an organization that provides universities with educational reporting, verification and research services. NSC uses the popular file-transfer platform MOVEit, which was the victim of a massive cyber attack in June. 

The Cybersecurity and Infrastructure Security Agency identified the cybercriminal gang known as “CL0P” as the culprit of the attack. The group took advantage of a vulnerability in MOVEit’s code to access data from some of the biggest names in business, including the NSC. 

It’s estimated CL0P will gain around $75-$100 million from ransom payments.

MSU is one of 890 schools impacted by the NSC breach, with 51,869 people, including students, affected in total, according to NSC’s data breach filing with the Office of Maine’s attorney general in August. 

CL0P leaked a portion of MOVEit data publicly online in July, following through on earlier threats. Websites containing the stolen data were quickly taken down. 

Rick Wash, a professor in MSU’s media and information department, told The State News in July it’s not clear whether the information CL0P has on students will ever be released publicly. Since the group has taken massive amounts of data, they likely don’t have the time to sort through it to find what's most valuable. 

“It’s not great for us, but it’s not as bad as it would be if they were specifically doling out the bad pieces of data and selling it,” Wash said.

NSC did not respond to requests for comment.

Support student media! Please consider donating to The State News and help fund the future of journalism.


Share and discuss “Social security numbers, MSU IDs accessed during third-party MSU data breach” on social media.