Monday, June 17, 2019

January cyberattack on MSSU exposed personal information about students, alumni

Missouri Southern State University officials have taken steps to tighten online security after a data breach five months ago potentially exposed personal information about students and alumni.

MSSU Chief Information Officer Al Stadler told The Turner Report that the university has not come across any instances of the private information being misused.

All of those affected either have received or will receive official notifications from CO/ID Experts, the Everett, Washington, based company that is handling the situation, Stadler said.

Officials in other states where students and former stusdents may be affected have also been contacted.

The notification letter reads as follows:

We are writing to share important information about a recent incident involving Missouri Southern State University that may have affected your personal information.

On January 9, 2019, the University was alerted to a possible cybersecurity attack triggered by a phishing email. The email contained a link, which, when clicked, allowed the perpetrator to potentially copy that employee's Office 365 account.

Unfortunately, several employees fell victim to the fraudulent scheme.

As soon as it detected this attack, the University contacted law enforcement and was directed to delay notification of potentially affected individuals until its investigation was complete.

The University immediately engaged a leading, forensic investigation firm to look into the matter and undertook enhancements to its already robust IT system to block potential email exploitation, including a mass password reset of all employees' Office 365 accounts.

The University analyzed the entire contents of the impacted Office 365 accounts. The emails and attachments in the accounts contained among other things- first and last names- dates of birth, home addresses, email addresses, telephone numbers and Social Security numbers.

In late March, April and early May, the University identified emails containing personal information that may have been compromised by the attack.

In mid-May, the University confirmed that your first and last name and Social Security number were contained in the impacted accounts. Please be assured that the investigation has not uncovered any evidence of actual misuse of your personal information.

In the next portion of the message, the steps that have been taken to deal with the cyberattack were outlined:

Once the University discovered this attack, it took immediate steps to analyze and improve security and monitoring of its Office 365 accounts containing sensitive information.

As part of the investigation and remediation efforts, the University also engaged a forensics team, other cybersecurity experts, law enforcement officers and the attorney general's office.

Although it appears that the risk of harm to you is minimal as a result of this incident, the University started working straightaway to notify impacted individuals once the investigation was complete and the results were communicated with law enforcement and other regulators.

Missouri Southern State University is offering those potentially affected 24 months of free credit monitoring and $1 million in identity theft insurance and providing the information on how to sign up for those services.


Anonymous said...

I went to another school, in Kansas, and always considered MSSu as a glorified high school. Amazing they teach IT classes and yet cannot protect student ID information. Even more insane is that are just now notifying some of the students of the hack. Maybe they should be looking into someone else to head their IT dept. and classes being taught versus what they now have. It is a joke compared to Pitt State and I did not go there as it was considered a farm school and I apologize for thinking that as they are top notch progressive school now.

Anonymous said...

The "holy education center" of Pitt State was hacked 18 months ago. Our Gov't is hacked regularly. Numerous corporations have been hacked in the last 15 years. All of which probably have better IT people than MSSU. (especially the Holy Education Center, I'm sure)
So what exactly is your personal beef with MSSU? Please share this experience. It might help you to heal.

Anonymous said...

What does teaching IT have to do with security? Do you think that professors will double duty as security?

Anonymous said...

What happened to the employees who allowed this? Terminated?

Anonymous said...

The letter from MSSU implies that the information stolen was in emails and/or email attachments. I graduated from MSSU in 1986. What was my 33 year-old information doing in a current email/email attachment?

Anonymous said...

>>>>>>I graduated from MSSU in 1986. What was my 33 year-old information doing in a current email/email attachment?

Have you done your part as an alumnus and donated large sums to help MSSU build for the future?

If so, that's probably why there are current emails and/or email attachments containing your information!

If not, that's probably why there are current emails and/or email attachments
containing your information!

Anonymous said...

To 8:05
No, I have not donated to MSSU in the past and now I certainly won't in the future.

If the breach occurred in the Alumni Association or the Foundation those offices have no reason to have any data except my name, address, phone number and year I graduated. Why did they have my date of birth and social security number? And why were they storing that data in an email?

Oregon State University has said how many of their students/alumni were affected. I have yet to see MSSU admit how many of their students/alumni have had their data compromised.

Anonymous said...

Good God, you people are acting like MSSU is the only place to ever have information compromised. Truth be told, you should probably praise them for being honest about it. I am sure that information is compromised everyday through various organizations and we never hear about it. Welcome to the 21st century, crybabies.