
Michigan State University: Payment sought after employee, student data breach - rmason
http://www.lansingstatejournal.com/story/news/local/2016/11/18/msu-names-and-social-security-numbers-accessed-data-breach/94086880/
======
Casseres
A year ago, a university that I never even applied to sent me a letter saying
that my Social Security Number was among the data that was stolen in a hack.
(They offered a year of free "monitoring" and yes, I checked to see that it
was a real event and not a phishing attempt.)

Apparently a decade ago when I took the ACT, I gave the testing company my
SSN. I listed this university as one to send my scores to for free. Apparently
the ACT company not only gave them my scores but my SSN as well. On top of
that, the university held on to my SSN for years after it was clear that I was
never going to apply there.

Of course now as an adult, I know better not to give out my SSN, but many
others do not. Until companies see that holding on to personal information is
a liability rather than an asset, nothing is going to change.

~~~
maxerickson
SSNs just shouldn't be sensitive information.

(it's great if we get organizations not to hold onto personal information too,
but at the level of society, the harm due to identity fraud is largely self-
inflicted, we choose to allow organizations that fail to do reasonable
diligence to push consequences onto individuals)

~~~
dublinben
Exactly, the cat is out of the bag. It's time we stopped treating an SSN as a
magic key that grants any kind of significant access.

~~~
1121redblackgo
Yup, in the same way that guns are out of the bag in the us. What do we do to
limit the threat to the public at large? The solutions may seem like band-aids
but they may be the best that we have.

~~~
grzm
_the same way that guns are out of the bag_

This adds nothing to your comment. Please don't inject flamewar topics into a
thread.

~~~
mikestew
And this comment adds nothing to the conversation except as an example over-
zealous wannabe moderation. No one's injecting anything, it was a literary
tool called a metaphor. Personally, I thought it a clever parallel.

------
tk427
Here is the official site that won't nag you with the LSJ paywall.
[https://msu.edu/datasecurity/](https://msu.edu/datasecurity/)

~~~
metaphor
Thanks. The ads on the original link are ridiculously obnoxious.

------
danso
> _The breach was disclosed Friday, Cody said, because the university needed
> to confirm what information was accessed, who might be affected and set up
> resources for those affected before it was disclosed._

The breach happened Sunday, and it took MSU all that time to investigate it
until they could announce it tonight, which is coincidentally the traditional
time to announce bad news because everyone is checked out for the weekend? I'm
not feeling a lot of good vibes about transparency here.

~~~
pmorici
Frankly it sounds like this was discovered and disclosed a lot faster than
most other similar incidents. The OPM hack took years for the government to
disclose from the time they first knew of it. Linkedin, Target, Home Depot,
and more than I can even remember at this point all took months to years to
discover and disclose. 1 week is lightening speed.

------
shortformblog
As an MSU grad, I feel like they handled this well. As anyone who reads Brian
Krebs' site can tell you, a lot of companies have waited months to make
similar announcements. It took them a week. Two years of protection is
generous as well—usually it's a year in such breaches.

And I say that not being a rah-rah alum, either.

~~~
jdnier
"The affected database contained records for all faculty, staff and students
who were employed by the university between 1970 and Nov. 13, and all students
who attended the university between 1991 and 2016."

I bristle a little at "handled this well". All they've done so far is disclose
the basics. Great. But the breach covers just about every employee (student
employees included) for the past 46 years plus all students since 1991. I'll
defer judgement on how well they handle it. Mean time, credit monitoring; oh
joy.

~~~
Hondor
How is who your employer was private? I would never expect that to be
confidential nor upset if it became public. Surprised, yes, but what's the
harm? Your workmates all knew you worked there and could have tattled on you.

------
skittleson
At least they are providing fraud protection. They handled it fast instead of
just sitting on it.

~~~
jlgaddis
Ironically, they probably had to provide the credit monitoring company with
all 400,000 of the affected people's private information in order to do so.

~~~
freehunter
And I've been affected by a single breach in all these years: the breach at
Experian, a credit bureau. So these folks can look forward to having their
data lost a second time, because even these guys aren't immune to data loss.

------
bitmapbrother
Are there any details of the hack and what OS the school was using?

