MSU report: Hack sought personal data, but most safe

Mark Fischenich, The Free Press, Mankato, Minn.
·3 min read

Feb. 28—MANKATO — An investigation by Minnesota State University into the improper sharing of nonpublic personal information of students, staff and donors found that 142,226 individuals were affected — more than triple the number reported in December.

But most of the private data was not in the database of a cloud services company that was hacked last summer in a ransomware attack, according to the report completed earlier this month.

The investigation was launched after the discovery of a ransomware attack of the computer systems of Blackbaud, a South Carolina-based cloud services company used by the fundraising arms of numerous nonprofits and colleges, including MSU and South Central College. The hackers potentially had access to a variety of personal information compiled by MSU and SCC and stored with Blackbaud.

The final report completed by Michael Menne, MSU's chief information security officer, listed the information provided to the MSU Foundation for fundraising purposes that should have been kept private.

"Not-public data shared with the Foundation included country of birth, gender, last 4 digits of Social Security Number, marital status, birth date, TechID, high school and years of attendance, ethnicity, and status as a first-generation college student," Menne's report stated.

However, virtually none of that data was accessed during the Blackbaud security breach — the only exception being people's date of birth.

"Financial data, social security numbers and passwords were not accessed as part of the Foundation's Blackbaud security incident," according to the report, which was issued following an investigation conducted by a team of nine MSU officials.

SCC did not do any further investigation since informing 13,282 students, staff, alumni and donors on Dec. 18 of the Blackbaud breach. In SCC's case, the final conclusion was that the college had improperly shared with its fundraising foundation full Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and campus ID numbers and that the data "may have" been in the compromised Blackbaud database.

Hospital systems, nonprofit organizations and colleges across the country had information stored with Blackbaud, including 12 of the state colleges and universities in the system of 37 public higher education institutions in Minnesota. Other Minnesota state colleges impacted by the data breach were Alexandria Technical and Community College, Bemidji State University, Inver Hills Community College, Itasca Community College, Metropolitan State University, Minnesota State University-Moorhead, Ridgewater College, Saint Paul College, Southwest Minnesota State University, and St. Cloud Technical and Community College.

Both MSU's report and SCC's earlier report state that there has been no "final disposition of disciplinary action" against any employee for violating the Family Educational Rights and Privacy Act, which obligates colleges to protect the privacy of students and staff. Under the law, SCC and MSU should have supplied their fundraising foundations only "directory information" such as a student's name, field of study and dates of attendance and "limited directory information" such as a mailing address or email address.

According to MSU's report, the state college system "is reviewing its contractual relationship with Blackbaud and will ensure additional security measures are in place."

The Blackbaud hacker, who has not been caught, demanded an undisclosed amount of ransom from Blackbaud in return for destroying the data he or she had obtained. The company paid the ransom and claimed that it received confirmation that the hacker had destroyed the private data.

A class-action lawsuit filed against Blackbaud by some of the millions of affected Americans is being heard in a U.S. District Court in South Carolina.