The Michigan State University (MSU) has recently fallen victim to a data breach incident as a result of a cyberattack on an Ohio-based law firm. 

The MSU-associated law firm:

The Ohio-based law firm Bricker and Eckler LLP is associated with MSU Title IX contractor INCompliance Consulting.

In 2019, MSU had recruited INCompliance to investigate and resolve complaints regarding sexual misconduct, relationship violence, and discrimination.

Back in January 2021, Bricker and Eckler law firm was compromised in a ransomware attack.

The investigation carried out to analyze the ransomware attack on the MSU-associated Bricker and Eckler LLP revealed that an unauthenticated attacker or attacker had accessed some of the internal network systems of the law firm at multiple instances between  January 14 to January 31.

MSU-associated Bricker and Eckler also affirmed that outcomes firm the ransomware attack investigations determined that the unauthorized actor or actors acquired some data from some of their internal systems.

Bricker was able to retrieve the data involved from the unauthorized party and has taken steps to delete the data. At this time, Bricker has no reason to believe this data was further copied or retained by the unauthorized party.” the law firm noted.

However, the data that was stolen from their systems may have severely compromised and exposed private information such as names, addresses, as well as medical-related and/or education-related information, driver’s license numbers, and/or Social Security numbers.

MSU acknowledgements:

Sources analyzing the Michigan State University impact in the data breach as a link to the Ohio firm have noted that the Title IX case data that was exposed jeopardized the private information of more than 300 people. 

Subsequently, a notice letter was forwarded to MSU students, faculty, and staff members that alerted them of the data breach.

“A limited number of individuals, some of whom are no longer affiliated with MSU, may have been impacted. Those individuals have been contacted and connected with the proper resources,” stated the alert notice.

“INCompliance is the entity that we work with on some of those external investigations,” stated Christian Chapman, Michigan State’s Title IX communications manager.

“Bricker and Eckler is INCompliance’s parent company or law firm, so to speak.”

The spokesperson also provided that the private data of six people concerned in MSU investigations had been exposed in the data breach.

The university, however, has affirmed that the malicious actor or actors who hacked Bricker and Eckler systems had stolen reports from Michigan State University cases managed by INCompliance.

These reports included investigation analytics, scheduling emails, and final determinations. 

“Our systems are secure and have not been impacted,” said Chapman. “And it will not impact any cases that are happening on MSU’s end.”