Security

Michigan State Grapples with Data Breach in Third-Party Software

• By Dian Schaffhauser
• 04/24/20

Even as schools are dealing with the fallout from coronavirus, a Michigan university is facing the fallout of a cybersecurity virus too. Michigan State University said a data breach that hit one of its software vendors has affected about 300 people who processed credit card payments through its ecommerce site, shop.msu.edu.

Volusion, which provides online payment processing to companies, publicly reported that the personal information of some of its merchant clients was exposed last fall, when malware was inserted into its ecommerce application. An outside forensic evaluation uncovered the extent of the breach. Those affected were people who shopped on Volusion-hosted websites between Sept. 7 and Oct. 8, 2019, including one run for Michigan State.

According to university officials, the breach exposed names, phone numbers, addresses, credit card numbers, expiration dates and CVVs. In response, the institution said it would replace the payment solution with another "with stronger and more robust cybersecurity measures."

"While there was no breach to [our] networks or systems, this breach of a third-party vendor is concerning and compels us to do what we can to help those impacted by sharing this important information," noted Chief Information Officer Melissa Woo, in a statement. "We know that the best tool in protecting yourself from identity theft and preserving your personal information is accurate information and swift action."

The school also provided basic guidance on how to protect themselves in the face of a breach, including using two-factor authentication with online accounts where possible, taking advantage of free credit reporting and putting a fraud alert on personal credit files, as advised by the Federal Trade Commission.