Michigan State University (MSU) has been impacted by a data breach stemming from a cyber-attack on an Ohio law firm.
Bricker & Eckler LLP, which is associated with MSU Title IX contractor INCompliance Consulting, was hit with ransomware in January 2021.
An investigation into the incident determined that an unauthorized party gained access to certain Bricker internal systems at various times between approximately January 14 and January 31.
“Findings from the investigation indicate that the party obtained some data from certain Bricker systems during this period,” said the law firm in a data security incident notice.
“Bricker was able to retrieve the data involved from the unauthorized party and has taken steps to delete the data. At this time, Bricker has no reason to believe this data was further copied or retained by the unauthorized party.”
Data that may have been exposed in the attack includes names, addresses, and in certain instances medical-related and/or education-related information, driver’s license numbers, and/or Social Security numbers.
Lansing State Journal reports that the cyber-attack on Bricker resulted in the exposure of Title IX case information belonging to nearly 350 people at MSU.
In a letter sent this week to faculty, students, and staff, MSU wrote: “A limited number of individuals, some of whom are no longer affiliated with MSU, may have been impacted. Those individuals have been contacted and connected with the proper resources.”
MSU hired INCompliance in 2019 to investigate and resolve complaints regarding sexual misconduct, relationship violence, and discrimination.
The university said that the cyber-criminals who attacked Bricker had stolen documents from MSU cases handled by INCompliance. Among the documents were investigation reports, scheduling emails, and final determinations.
“INCompliance is the entity that we work with on some of those external investigations,” said Michigan State’s Title IX communications manager, Christian Chapman.
“Bricker and Eckler is their parent company or law firm, so to speak.”
Chapman said that the personal data of six people involved in MSU investigations had been leaked in the data breach.
“Our systems are secure and have not been impacted,” said Chapman. “And it will not impact any cases that are happening on MSU’s end.”