Michigan State University (MSU) revealed about a data breach on its shop.msu.edu online store, in which the attackers managed to steal credit card and personal information of about 2,600 users.
The attackers injected malicious scripts that could harvest and exfiltrate customers’ payment cards after exploiting a newly addressed website vulnerability.
In these kinds of attacks called as web skimming attacks or Magecart or e-skimming, the attackers deploy card skimmer scripts on e-commerce sites via compromised admin accounts.
MSu stated that an unauthorized party attained access to Michigan State University’s online store, shop.msu.edu, and placed malicious code to expose shoppers’ credit card numbers between Oct. 19, 2019 and June 26, 2020.
On initial investigation of the breach, it was found that the exposed information included names, addresses and credit card numbers of about 2,600 customers. However, the university stated that no Social Security numbers were stolen during the nine months the attackers had access to the shop.msu.edu online store.
The university’s security team addressed the vulnerability which was used to gain access to the compromised online shop and they are currently working with law enforcement as part of an ongoing investigation.
MSU Interim Chief Information Security Officer Daniel Ayala said that they would prevent any further exposure of consumers’ information by sharing resources and tools to help protect them from these cyber criminals.
Those consumers who believe that they may have been impacted by this incident and have not yet received an official notice from the university by Aug. 30, are encouraged to call the university at 517-355-1855.
All potentially affected customers are notified by MSU and are offering all of them free identity protection and credit monitoring.
The administrators of the shop.msu.edu site is required to go through mandatory training to make sure that they will follow all appropriate security measures to prevent any attacks in the future.
Image Credits : MSUToday