Hack sought personal data, but most safe
Feb. 28—MANKATO — An investigation by Minnesota State University into the improper sharing of nonpublic personal information of students, staff and donors found that 142,226 individuals were affected — more than triple the number reported in December.
But most of the private data was not in the database of a cloud services company that was hacked last summer in a ransomware attack, according to the report completed earlier this month.
The investigation was launched after the discovery of a ransomware attack of the computer systems of Blackbaud, a South Carolina-based cloud services company used by the fundraising arms of numerous nonprofits and colleges, including MSU and South Central College. The hackers potentially had access to a variety of personal information compiled by MSU and SCC and stored with Blackbaud.
The final report completed by Michael Menne, MSU’s chief information security officer, listed the information provided to the MSU Foundation for fundraising purposes that should have been kept private.
“Not-public data shared with the Foundation included country of birth, gender, last 4 digits of Social Security Number, marital status, birth date, TechID, high school and years of attendance, ethnicity, and status as a first-generation college student,” Menne’s report stated.
However, virtually none of that data was accessed during the Blackbaud security breach — the only exception being people’s date of birth.
“Financial data, social security numbers and passwords were not accessed as part of the Foundation’s Blackbaud security incident,” according to the report, which was issued following an investigation conducted by a team of nine MSU officials.
SCC did not do any further investigation since informing 13,282 students, staff, alumni and donors on Dec. 18 of the Blackbaud breach. In SCC’s case, the final conclusion was that the college had improperly shared with its fundraising foundation full Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and campus ID numbers and that the data “may have” been in the compromised Blackbaud database.
Hospital systems, nonprofit organizations and colleges across the country had…
