Malware skimmed credit card numbers from Michigan State’s online shop

Code embedded in an official university website selling Spartan-branded sweatshirts and mugs compromised financial information of about 2,600 customers.
Michigan State University
(Michigan State University)

Anyone who used Michigan State University’s online shop to buy Spartan gear between Oct. 19 and June 26 may have gotten more than they bargained for. 

The university announced on Monday that was compromised last year and that “malicious code” embedded into the website stole the credit card numbers of about 2,600 customers.

The university said its technology department has since corrected the vulnerability and is now working with law enforcement to study the incident. The university also said it’s offering those affected free credit monitoring and identity protection services.

“Our top priority is preventing any further exposure of consumers’ information by sharing resources and tools to help protect them from these cyber criminals,” Daniel Ayala, MSU’s interim chief information security officer said in a statement provided to MSU Today. “The security of our IT systems and those who use them are of paramount importance to MSU. We are deeply sorry and understand the concern of those affected. We are working around the clock to make it right.”


In addition to the university’s existing mandatory security training, administrators of the website will also undergo “advanced training,” according to the announcement. 

The security incident is the second for Michigan State University this year. In May, servers and workstations in its physics and astronomy department were infected by NetWalker ransomware. In that incident, the attackers posted some of the stolen files on a public website as proof of the success of their cyberattack, along with a countdown clock with about one week remaining. The university announced days later that, following the recommendation of law enforcement, they had not paid the ransom.

A spokesperson told EdScoop the two attacks were not related.


Colin Wood

Written by Colin Wood

Colin Wood is the editor in chief of StateScoop and EdScoop. He’s reported on government information technology policy for more than a decade, on topics including cybersecurity, IT governance and public safety.

Latest Podcasts