Hackers begin publishing stolen documents after Michigan State refuses to pay ransom

EAST LANSING — A hacker began publishing stolen Michigan State University financial documents and personal information this week, shortly after MSU refused to pay a ransom.

The documents were published Wednesday or Thursday, according to screenshots provided by Brett Callow, a threat analyst with the anti-malware company Emsisoft. The screenshots show 3.2 gigabytes of information have been published with more coming "soon" in a second installment.

A sampling of some of the information published includes a student's passport, an MSU letter from 2014 offering someone a postdoctoral research associate appointment and a receipt from a pizza order, according to information provided by Callow. 

He noted that hackers in ransomware events typically post older and less-sensitive information first, giving the organization more incentive to pay the ransom to prevent the more sensitive information from being published. 

MSU suffered a ransomware attack on Memorial Day. A hacker raided Department of Physics and Astronomy servers and demanded an unspecified ransom with a countdown clock that suggested the information would be published if the bounty wasn't paid by Wednesday, the same day MSU officials announced they would not be paying the ransom.

"We are aware of the release of documents by those who attacked our servers and workstations and are scouring the information to identify anyone who may be impacted and provide them with the appropriate resources," said MSU spokesperson Dan Olsen, in an emailed statement. "While it remains that this was an isolated incident that only affected one department on campus, we recognize that any intrusion causes concern.

"Prior to the public release of some of these files, MSU began providing information to those we believe may have been impacted by this intrusion on ways to protect themselves from identity theft. We will continue to review the files we know were compromised and work diligently to identify and immediately update any additional people we believe may be impacted."

The breached servers and workstations went offline soon after the breach to avoid further exposure, according to Olsen. 

Contact Mark Johnson at 517-377-1026 or at majohnson2@lsj.com. Follow him on Twitter at @ByMarkJohnson.