“An unauthorized party gained access to Michigan State University’s online store, shop.msu.edu, and placed malicious code to expose shoppers’ credit card numbers between Oct. 19, 2019 and June 26, 2020.” – MSU


This week, Michigan State University confirms a credit card skimming attack that put over 2,600 customers at risk. With Big Ten football on hold, maybe it’s time to focus strength elsewhere, like the cyber security department.


Michigan State University

Before we dive into the attack, let’s establish some background on the victim of the attack, MSU. Michigan State is a university located in, yes you guessed it, the great state of Michigan.

This university in question is part of the Big Ten conference, and not to be confused with the other Big Ten football school, The University of Michigan. 

Further, due to COVID-19 many sports and conferences are delaying college football for the fall season. Now, since we don’t have football to converse over, let’s talk about cyber security!


The Attack

To begin, in a recent statement from the university, MSU discloses that they in fact fell victim to a credit card skimming attack on their shop.msu.edu site. Honestly, that is what you get for buying MSU merchandise… (joking! PSU alumni over here!).

Moving on, the overall timeline of the attack is as follows. Attackers gained unauthorized access to the site for a period of roughly nine months. Thus, giving them enough time to attack before security services detected the breach.

Over the period of time attackers accessed the site, they were able to use malicious code to gather customer information like full names, cell phone numbers and credit card information. 


MSU Response

Continuing on, the statement that the university released began with an introduction addressing the breach. It then moves into information regarding the breach, customer information and an investigation.


“The intrusion is a vulnerability in the website which has since been addressed. Once the university was notified, an initial investigation determined the exposed information included names, addresses and credit card numbers of about 2,600 customers. Once it became aware of the breach, the university’s information security team promptly corrected the vulnerability. No Social Security numbers were compromised and MSU is working with law enforcement in the investigation.”


While it is a relief to see that social security numbers did not appear on the list of casualties, exposed credit card numbers and other customer info is still at risk. 

The university goes on to mention that they are working with IT systems and security departments to prevent this from ever happening again. Further, MSU plans to contact those affected by the attack and offer free credit monitoring and identity protection services. 

Overall, the response from MSU is what most businesses, universities and other victims of a cyber attack go with. The bases of addressing the attack, what information fell victim and how they will help those affected are all covered. 

The university also plans to provide cyber security training review to those who work in and for the MSU shop in order to prevent something like this from happening again.


By Taylor Ritchey