Colleges across the U.S. — from Middlebury College in Vermont to the University of California, Los Angeles — say they’ve been swept up in the cyberattack exploiting a security vulnerability in Progress Software’s MOVEit service, which enables organizations to transfer large data files.
Clop, a ransomware group, has taken responsibility for the attacks on the dark web, claiming to have stolen data from hundreds of organizations. Prior to Clop’s latest attacks, government officials estimated the group had compromised over 3,000 organizations in the U.S. — and even more based elsewhere.
The attacks have fallen heavily on the education sector, where widely used vendors have confirmed breaches linked to the MOVEit vulnerability. Some individual colleges that use MOVEit software say they have also been affected.
Below, we’re rounding up some of the major higher education groups and colleges that have confirmed cybersecurity incidents related to the MOVEit breach.
National Student Clearinghouse
The National Student Clearinghouse, which collects enrollment and other student data from thousands of colleges, recently announced it was investigating a cybersecurity issue stemming from the MOVEit mass hack.
“Based on our ongoing investigation, we have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that we maintain on behalf of some of our customers,” the organization said.
The clearinghouse has notified the institutions whose data may have been impacted. Indeed, several colleges have recently said they received such notices, including St. Mary’s University, Webster University and Trinity College.
It’s unclear what data may have been compromised. The clearinghouse’s notice said it may have included “information from the student record database.”
The organization is working with a global cybersecurity firm and law enforcement to investigate the incident.
A spokesperson for TIAA, a financial services provider for educators and academics, confirmed Friday that the MOVEit breach affected one of its third-party vendors, PBI Research Services, which audits member deaths and locates beneficiaries.
The breach was confined to TIAA’s vendor, not TIAA’s own systems, the spokesperson said. But PBI Research Services handles sensitive information for pension funds and insurance companies, including names, Social Security numbers and birth dates, according to class-action lawsuits recently filed against the vendor over the MOVEit breach.
TIAA hasn’t observed unusual activity stemming from this event but is continuing to monitor member accounts, the spokesperson said. PBI Research Services is offering affected people free credit monitoring for two years, the TIAA spokesperson said.
Some colleges that use TIAA’s services have said they’ve been notified by the retirement giant that it was caught up in the cyberattack. And multiple colleges report being hit by both the TIAA and clearinghouse breaches, including Webster, Trinity and Middlebury College. In its statement, Middlebury said TIAA confirmed that the college’s data was exposed.
TIAA’s website says it serves more than 15,000 institutions.
CalPERS and CalSTRS
The California Public Employees’ Retirement System, or CalPERS, is the largest public pension system in the U.S., and its 2 million-plus members include employees from California State University.
Meanwhile, the California State Teachers' Retirement System, or CalSTRS, provides retirement benefits for the state’s public educators, including those working in community colleges. With more than 949,000 members, CalSTRS is the largest retirement system for teachers, according to its website.
Both of them recently announced that they’ve been impacted by the MOVEit breach through a PBI Research Services. In CalPERS’ case, the incident involves the personal information of roughly 769,000 of its members, it announced.
“This external breach of information is inexcusable,” CalPERS Chief Executive Officer Marcie Frost said in a statement. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
In CalSTRS’ announcement, the organization said the files affected contained the names, Social Security numbers, birth dates and zip codes of some members and their beneficiaries.
University System of Georgia
The University System of Georgia, which oversees more than two dozen public colleges, confirmed in June that it may have been impacted by the MOVEit data breach, the Valdosta Daily Times reported.
The system purchased the MOVEit software for “storing and transferring sensitive data,” the university said in a statement. Once the system learned of the security vulnerability in the software, its cybersecurity experts began evaluating the scope of the potential data exposure, it said. Staff members also implemented Progress Software’s recommendations, such as applying patches to remedy the security flaw.
The system did not answer questions Friday about whether it had contacted Clop or paid a ransom.
Johns Hopkins University
Johns Hopkins University, as well as the Johns Hopkins Health System, recently said it is investigating a cybersecurity attack related to the MOVEit vulnerability. The breach occurred at the end of May, according to the June announcement.
The incident may have included sensitive personal and financial data, such as names, contact information and health billing records.
“We are working now to assess the full scope of the incident and will be reaching out to all impacted individuals in the coming weeks,” the university said.
A spokesperson for the university did not answer whether Johns Hopkins contacted Clop or paid a ransom, instead referring Higher Ed Dive to its initial announcement.