- The National Student Clearinghouse said nearly 900 colleges suffered a data breach during the mass hack of the file-sharing tool MOVEit, according to filings last week with the California attorney general’s office.
- Progress Software, the company behind the MOVEit tool, informed National Student Clearinghouse in late May about the data breach. During the attack, cybercriminals obtained files containing personal information such as names, birth dates, Social Security numbers, student identification numbers and school records.
- The list of affected colleges is wide ranging. It spans from Ivy League institutions like Cornell University to large public colleges, including several in the California State University system.
Hundreds of organizations have been swept up in the massive MOVEit attack, which was carried out by a Russian ransomware gang called Clop. The National Student Clearinghouse’s notice gives a deeper look at the mass hack’s impact on higher education.
The organization’s list of impacted institutions includes colleges across the U.S. For instance, colleges in both of New York’s public higher education systems were affected, including SUNY Cortland and the City University of New York’s Hunter College. Large public flagships, like the University of Missouri, were also affected by the breach.
Although colleges make up the vast majority of institutions in the National Student Clearinghouse’s notice, the list also includes high schools and some education organizations.
The hack impacted more than 51,000 people, according to a separate notice that the National Student Clearinghouse filed with Maine regulators last month.
The clearinghouse, which provides educational data reporting and research services, isn’t the only major higher education organization hit in the MOVEit attack.
TIAA, a retirement giant for educators and academics, also confirmed earlier this year that one of its third-party vendors had been exposed in the MOVEit breach. Multiple colleges, including Middlebury College in Vermont and Webster University in St. Louis, have since notified their campuses they were hit by both the TIAA and National Student Clearinghouse breaches.
“The organizations between them likely deal with a significant percentage of schools in the U.S., which means it’s quite possible that this incident will have affected the majority of the schools in the U.S.,” Brett Callow, a threat analyst at cybersecurity company Emsisoft, told Higher Ed Dive in July.