In a pair of major breaches announced over the past several days, hackers have stolen data from Michigan State University (MSU) and from the Madison Square Garden Company (MSG) entertainment venues Madison Square Garden, Radio City Musical Hall, the Beacon Theater, and the Chicago Theater.
Michigan State University announced on November 18 that an unauthorized party gained access to a university server containing sensitive data on November 13. The server held approximately 400,000 current and former students’ and employees’ names, Social Security numbers and MSU identification numbers.
Of those records, 449 were confirmed to have been accessed by the attackers. “There is no evidence unauthorized individuals retrieved the other records; however, as a precaution MSU is reaching out directly to all individuals who may be affected by this criminal act to offer free credit monitoring,” the university said in a statement.
“In addition, MSU is continuing to work with national experts to improve overall campus security,” the university added. “IT officials also are accelerating implementation of MSU’s existing plan for increased security.”
RiskVision CEO Joe Fantuzzi told eSecurity Planet by email that the MSU breach is indicative of an increase in attacks targeting the education sector. “While the education vertical isn’t beholden to the same compliance regulations as financial services, the market will be… increasingly attractive to hackers with databases that contain Social Security numbers, student medical and mental health data, academic and income records, among other things,” he said.
“Institutions that fail to wrap their arms around their risk environment will jeopardize their brand, competitiveness for top students, enrollment figures, government funding and alumni donations — benefits that are too important to risk losing,” Fantuzzi added.
Separately, The Madison Square Garden Company announced on November 22 that it had investigated a pattern of suspicious card activity after banks had alerted it to the issue. “In the last week of October 2016, as soon as the investigation found signs of external unauthorized access, MSG worked with [leading] security firms to stop it and to implement enhanced security measures,” the company said in a statement [PDF].
The investigation uncovered unauthorized access to MSG’s payment processing system and the installation of malware that searched for payment card data.
Cards used at Madison Square Garden, Radio City Music Hall, the Beacon Theater, the Chicago Theater or the Theater at Madison Square Garden between November 9, 2015 and October 24, 2016 may have been affected.
The data potentially accessed includes cardholder names, credit card numbers, expiration dates and verification codes.
“MSG has stopped this incident, and we continue to work with the computer security firms to further strengthen the security of our systems to help prevent this from happening again,” the company stated. “We have also been providing information to law enforcement regarding this matter.”
Spirion CEO Jo Webber told eSecurity Planet by email that the MSG breach once again demonstrates how easy it is for thieves to access payment processing systems. “The payment industry is very susceptible to this simple hack, and retailers must become more aware of cyber security threats and how to detect breaches early on,” she said.