Cyber Incident Victim: Mid-Michigan College

On or around June 19, 2020, Mid-Michigan College publicly disclosed a cybersecurity incident involving unauthorized access to its email systems. A threat actor successfully penetrated the college’s email infrastructure, compromising the accounts of 10 employees. This breach potentially exposed the personal information of up to 16,000 individuals associated with the institution. The college’s president, Christine Hammond, formally notified the campus community about the incident earlier in the week through direct correspondence, followed by an official public notification issued on Thursday, June 19. The breach announcement did not specify the exact timeframe of the intrusion or the methods used by the attacker to gain initial access to the email environment.

The compromised employee email accounts contained sensitive personal data, though the college did not publicly enumerate the specific data elements exposed beyond the broad categorization of "personal data." In response to the breach, Mid-Michigan College initiated notifications to affected parties, consistent with standard breach disclosure protocols. The public notice served as the primary mechanism for informing broader stakeholders about the potential exposure of their information. No details were provided regarding technical containment measures, forensic investigation findings, or whether law enforcement was engaged. The incident’s confirmed impact remained confined to the 10 employee email accounts, with the 16,000 figure representing the upper estimate of individuals whose data resided within those accounts. The disclosure did not address whether the attacker exfiltrated data or merely accessed the email system.