Maura Lerner reports:
Metro State University is investigating a computer security breach that may have exposed personal information about students, faculty and staff.
In a campuswide e-mail Friday, interim president Devinder Malhotra wrote that a computer hacker apparently got “unauthorized access” to the university database in mid-December, and that investigators are still trying to determine the scope of the data breach.
“We do not believe this server contained any financial data or credit card information,” he wrote, but he said some of the databases included employee Social Security numbers.
Officials say they learned about the problem Jan. 2, when a cybersecurity service notified them about a blog posting “by a computer hacker” who claimed to have hacked into 75 websites. “We were just one of those,” said Anne Sonnee, the interim vice president for communications.
Read more on Star Tribune.
A statement on the university’s web site states:
Metropolitan State University has recently learned of a computer security intrusion and a likely data breach. We are investigating the scope of what appears to be unauthorized access to a university server that contained personal information of faculty, staff and students. We do not believe this server contained any financial data or credit card information, but several databases included employee Social Security Numbers.
We responded quickly when we learned of this situation. We immediately enlisted the assistance of the system office of the Minnesota State Colleges and Universities (MnSCU), and the State of Minnesota’s MN.IT division, and we will be bringing on additional expertise as is required. To date, we have established the validity of the claimed attack, disabled the vulnerability that we believe permitted this breach, isolated the risk from other servers, and notified law enforcement. The university is also taking additional measures to minimize future security risks.
As part of our response, we are moving our web site to a new server and you may notice reduced functionality and broken links. While this move may cause some disruption of web site functions, the following services are NOT affected and may be directly accessed by clicking the links below:
D2L
eServices
PortalWe will be working through the weekend to correct web site problems and will continue efforts to return web functionality. We will keep you updated.
While our investigation may take several weeks to establish the nature and scope of the possible breach, out of an abundance of caution and with the goal of full transparency, we are communicating what we do know about this situation as soon as possible. As the investigation progresses, we will share the results, contact affected individuals, and confirm if data were compromised. We will also notify affected individuals, as required by law.
While we are not yet able to determine who the affected individuals are, in the interim it may be prudent to take precautions to prevent identity theft and credit card fraud by closely monitoring credit card activity and other financial transactions. Specific information on how to obtain a credit report and report identify theft may be found on the Minnesota Attorney General’s website at http://www.ag.state.mn.us/Consumer/IdentityTheft/Default.asp
The university sincerely regrets this apparent breach and any inconvenience it may cause.
We appreciate your patience and understanding during this transition. Please see the attached Q & A for more information. If you have any further questions or need additional information, you may also email or call Metropolitan State University Gateway at 651-793-1300. Your inquiry will be directed to the appropriate individual or department for a response.
There is a related Q & A about the breach on the university’s web site.
A search of Pastebin discloses a post on December 31st by “Abdilo” (@abdilo_ on Twitter), a self-described teenage hacker from Australia. The paste references having allegedly hacked Metro State in December:
MetroState.edu(I broke into you cause i like 22 jump street, thanks for the 22k ssns)
If that claim is true, at least 22,000 people may have had their Social Security numbers stolen.