Cyber Incident Victim: Metropolitan State University

In mid-December 2014, a hacker penetrated a Metropolitan State University web server during a single unauthorized access incident. The breach remained undetected until January 2, 2015, when an external network security service identified the intrusion. University IT personnel addressed the software vulnerability by January 7, 2015, disabling the specific weakness that enabled the breach. The institution migrated its website to a new server as part of containment efforts. On January 16, 2015, university officials publicly announced the probable data compromise, initially withholding specific impact details while the investigation continued.

The forensic investigation ultimately confirmed approximately 160,000 current and former students had personal information exposed, including dates of birth, home addresses, phone numbers, and grade point averages. Among these, 11,000 individuals had the last four digits of their Social Security numbers potentially accessed. Approximately 25,000 affected students had been enrolled within the three years preceding the breach, though the university could not determine the full chronological scope of compromised student records. In February 2015, administrators separately notified 900 faculty members who served between 2004 and 2009 that their Social Security numbers—either partially or completely—may have been exfiltrated, though officials indicated partial numbers were more likely. No student financial records, credit card information, or banking details were jeopardized. The university received no reports of identity theft linked to the incident from affected individuals. Interim President Devinder Malhotra issued a public apology, confirming remediation measures included vulnerability patching, server replacement, and implementation of enhanced security protocols to reduce future risks.