An unauthorized party gained access to Michigan State University’s online store, shop.msu.edu, and placed malicious code to expose shoppers’ credit card numbers between Oct. 19, 2019 and June 26, 2020.
The intrusion was a result of a vulnerability in the website which has since been addressed. Once the university was notified, an initial investigation determined the exposed information included names, addresses and credit card numbers of about 2,600 customers. Once it became aware of the breach, the university’s information security team promptly corrected the vulnerability. No Social Security numbers were compromised and MSU is working with law enforcement in the investigation.
“Our top priority is preventing any further exposure of consumers’ information by sharing resources and tools to help protect them from these cyber criminals,” MSU Interim Chief Information Security Officer Daniel Ayala said. “The security of our IT systems and those who use them are of paramount importance to MSU. We are deeply sorry and understand the concern of those affected. We are working around the clock to make it right.”
The university began notifying all potentially affected individuals of the breach today. It is offering them free credit monitoring and identity protection, and making recommendations to further protect their information from exposure.
Such incidents underscore the importance of everyday actions we all can take to protect our systems and personal information. MSU IT offers the following measures individuals can take to protect themselves when working and shopping online:
- Being aware of the possibility of phishing emails.
- Creating effective passwords.
- Using two-factor password authentication on devices and accounts whenever possible.
- And deleting files and data when you are done using them.
“MSU has invested heavily in information security and will continue to do so,” Ayala said. “But investment alone is not enough. We must also continue to educate our campus employees and our broader community. We are recommitting ourselves to that important work, which is critical to protecting all those who use our systems in today’s highly technological society.”
In addition to the mandatory training already in place, administrators of the affected website will be required to undergo advanced training to ensure they are adhering to all appropriate security measures.
If consumers believe they may have been impacted by this incident and have not received an official notice from the university by Aug. 30, they are encouraged to call the university at 517-355-1855.