Cyber Incident Victim: Michigan State University

On November 13, 2016, Michigan State University experienced a breach involving unauthorized access to a university server hosting a database containing approximately 400,000 records of faculty, staff, and students. The compromised data included names, Social Security numbers, MSU identification numbers, and in some instances, dates of birth. The affected individuals spanned faculty and staff employed by the university between 1970 and November 13, 2016, as well as students enrolled between 1991 and 2016. The university’s Information Technology team identified the breach swiftly, determining its cause and scope within a short timeframe. MSU Police Department collaborated with federal law enforcement agencies to investigate the incident, which involved a third-party attacker breaching the system. The database was taken offline less than 24 hours after the initial unauthorized access occurred, though this response did not prevent the attacker from exfiltrating records belonging to 449 individuals.

The breach resulted in confirmed access to sensitive personal information of 449 people, prompting MSU to notify all affected parties directly. The university offered complimentary identity theft protection, fraud recovery assistance, and credit monitoring services for two years to mitigate potential harm. Officials clarified that the compromised database did not store passwords, financial details, academic records, contact information, donation history, or health data. The attacker demanded payment in exchange for the stolen information, but the university refused to comply with the ransom request. No evidence suggested broader misuse of the data beyond the initial breach. The incident underscored risks associated with centralized storage of personally identifiable information and highlighted the university’s reliance on rapid detection and law enforcement coordination to contain the compromise.