https://therecord.media/moveit-fallout-continues-nsc-schools
The National Student Clearinghouse (NSC) reported that nearly 900 colleges and universities across the U.S. had data stolen during attacks by a Russia-based ransomware gang exploiting the popular MOVEit file-sharing tool.
The nonprofit manages educational reporting, data exchange, verification, and research services for 3,600 colleges and universities as well as 22,000 high schools.
In June, the organization first confirmed that it was affected by exploitation of the tool, which was targeted via several critical vulnerabilities by the ransomware gang Clop.
Dozens of schools published notices confirming that student and alumni data was accessed in the breach but it was never clear just how many colleges or universities were affected.
In filings with California regulators last week, the National Student Clearinghouse provided a list of affected schools totalling nearly 890 — covering almost every state and including several of the largest, most prominent universities in the U.S.
The U.S. Department of Education requires 3,600 colleges and universities nationwide to use the MOVEit tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools.
The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.
NSC says it notified law enforcement after discovering the incident and told regulators in Maine on August 31 that it is sending breach notification letters to 51,689 people. NSC also sent letters to each school affected by the breach.
“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” NSC said in an advisory released this summer. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”
The attack on NSC was one of several involving MOVEit that had wide-ranging downstream effects. The Clop ransomware gang targeted several organizations with connections to other companies or businesses, including PBI Research Services and the Teachers Insurance and Annuity Association of America (TIAA).
Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Several class action lawsuits have been filed against Progress Software, the company behind MOVEit.
Sean Matt, one of the lawyers behind the lawsuits, called it a “cybersecurity disaster of staggering proportions.”
“Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern,” he said.
“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect.”
UnitedHealthcare Student Resources Notifies Individuals of Data Security Incident
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
