On November 13, 2016, Michigan State University (MSU) suffered a cyberattack resulting in unauthorized access to a critical university database. The breach exposed highly sensitive personal information of both employees and students, including names, Social Security numbers (SSNs), student identification numbers (APID), employee identification numbers (ZPID), and dates of birth in some cases. The exact number of affected individuals remains undisclosed, heightening concerns over the scale of exposure. The compromised data poses severe risks, including identity theft, financial fraud, and long-term reputational harm to the institution. In response, MSU secured the breached database and offered 24 months of free identity protection services to mitigate potential damages. However, the incident underscores vulnerabilities in the university’s cybersecurity infrastructure, particularly in safeguarding personally identifiable information (PII) of its community. The breach’s long-term consequences—such as phishing attacks targeting exposed SSNs or fraudulent use of stolen identities—remain a persistent threat, requiring ongoing vigilance from affected individuals and the institution.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-65104
TPRM report: https://www.rankiteo.com/company/msuit
"id": "msu322091725",
"linkid": "msuit",
"type": "Cyber Attack",
"date": "11/2016",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (employees and '
'students)',
'industry': 'Higher Education',
'location': 'East Lansing, Michigan, USA',
'name': 'Michigan State University',
'type': 'Educational Institution'}],
'customer_advisories': ['24 months of free identity protection services '
'offered to affected individuals'],
'data_breach': {'data_exfiltration': 'Likely (unauthorized access confirmed)',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs and '
'identification numbers)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Sensitive Personal Data']},
'date_detected': '2016-11-13',
'description': 'The California Office of the Attorney General reported that '
'Michigan State University experienced a cyberattack on '
'November 13, 2016, potentially exposing personal information '
'of employees and students. The breach involved unauthorized '
'access to a university database containing names, Social '
'Security numbers, student identification numbers (APID), '
'employee identification numbers (ZPID), and in some cases, '
'dates of birth. The number of individuals affected is '
'unknown. The university secured the database and is providing '
'24 months of free identity protection services to affected '
'individuals.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'exposure of sensitive personal data',
'data_compromised': ['Names',
'Social Security numbers (SSNs)',
'Student identification numbers (APID)',
'Employee identification numbers (ZPID)',
'Dates of birth (partial)'],
'identity_theft_risk': 'High (due to exposure of SSNs and PII)',
'systems_affected': ['University database']},
'initial_access_broker': {'high_value_targets': ['University database '
'containing PII']},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['Reported to the '
'California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': ['Provided 24 months of free identity '
'protection services to affected '
'individuals'],
'containment_measures': ['Secured the compromised database'],
'incident_response_plan_activated': True},
'title': 'Michigan State University Cyberattack (2016)',
'type': 'Data Breach'}