What happened? A likely data breach occurred in December 2014 and was discovered in early January 2015.
How did the university respond? Metropolitan State University IT quickly disabled the vulnerability that permitted the breach and replaced the affected server. The university also completed additional security measures to minimize future security risks. A thorough IT forensics investigation was conducted by Minnesota State, MN.IT and Metropolitan State University IT staff.
What did you learn from the investigation? The initial forensics investigation determined that there was a probable exposure of the Social Security numbers belonging to approximately 900 faculty members from 2004 to 2009.
What was the result? In February, the university apologized to the 900 faculty and offered identity protection services by a vendor named Kroll, an industry leader in this area.
Why are you providing an update now? The full IT forensics investigation was recently concluded.
What did you learn? The investigation determined that there was likely exposure of a variety of personal information of approximately 160,000 students.
What kind of student information was exposed? The personal data exposed was varied and included a student's name in combination with some other information, which may include:
Demographic Information: date of birth/age, gender, race, ethnicity, country
Personal Information: home address/phone/email
Academic Information: Cumulative GPA, Term GPA, Local GPA and Transfer GPA, credits, grades, registration, transfers, majors, application, college
Star ID: StarID either alone or in an email address
Tech ID: Tech ID
The last four digits of Social Security numbers
Are the affected students current students? Approximately 25,000 of the 160,000 students are "current" students (enrolled in the last three years), while the remainder are from previous years.
Did all 160,000 affected students have the last four digits of their Social Security Numbers exposed? No. Both the name and last four digits of Social Security numbers were likely exposed for 11,000 students. Other personal data may have also been exposed.
Metropolitan State University's Response
How is the university responding to the results of this full investigation? We regret this incident and are sincerely apologizing to those impacted. We are sending a letter via US mail to the 11,000 students with likely exposure of the last four digits of their Social Security Numbers. We are keenly aware of how important personal information is to our students. To help relieve their concerns and restore confidence following this incident, we are partnering with Kroll to provide identity theft protection at no cost to the student for one year. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained an unintentional exposure of confidential data. Kroll's licensed investigators will be available to answer questions or help with concerns.
What about the other 149,000 students? For students with other data exposed, we are communicating as permitted by Minnesota law via email, a posting on the Metropolitan State University web site, and via a news release to the media.
What can students do if they have questions? Metropolitan State University Gateway is available for support at Gateway@metrostate.edu or 651-793-1300.