MSU Spends $3 Million In Strengthening Its Security After Hacking IncidentBy Chris Brandt, UniversityHerald Reporter
Earlier in November, the Michigan State University was on high alert after discovering that someone was able to hack and access the institution's database. That security breach gave the hackers access to all the personal accounts of both MSU faculty and students. That also led to the university investing around $3 million in strengthening its cyber-security.
The attack happened on a Sunday and the database was taken offline within 24 hours of the hack. According to the university, the database contains 40,000 information of students, faculty, and staff of MSU including their ID, social security, and names.
With that data, the hackers can open new credit accounts or file tax refunds without the knowledge of the person. Unlike a stolen credit card where you can call your bank to block it, you cannot do the same with a social security number.
According to Paul Stephens, director of policy and advocacy Privacy Rights Clearinghouse, the potential for identity theft should be the very reason why institutions like MSU should not keep their records for two years after a person leaves. Moreover, there's no need for MSU to keep social security numbers.
MSU spokesman Jaso Cody said that the university's reason for keeping such data is because it maintains its relationship with all the members -past and present- of the MSU community. Cody also said that no passwords, health information, as well as financial and academic contact was stolen. He also confirmed that law enforcement officers along with forensic experts from MSU said that only 449 records were accessed out of the compromised 400,000.
Stephens disagreed saying that if MSU was not able to detect data breach in the first place, how sure can they be that only that number of information was accessed. He further said that since 2005, close to one million records have been exposed.
Meanwhile, MSU have signed a deal with security group AllClear ID to provide protection for those whose records were on the compromised database. According to IBM, such protection will cost an organization around $4 million.