The National Student Clearinghouse (NSC) [1] [2] [3] [5] [6], a non-profit organization that provides educational reporting and data exchange services to colleges and high schools [1], recently reported a data breach to the California Attorney General’s Office. This breach [1] [2] [3] [4] [5] [6] [7], caused by a cyberattack from the Cl0p ransomware gang, exploited a security flaw in the MOVEit Transfer secure file transfer platform [2]. Personally identifiable information (PII) of students [7], including names [3] [7], birth dates [7], contact information [1] [3] [5] [6] [7], Social Security numbers [1] [3] [6] [7], student ID numbers [1] [3] [6] [7], and school-related records [1] [3] [7], was accessed by an unauthorized third party [1]. This breach impacted 890 schools [4] [7], and NSC has taken immediate action to address the issue.
Description
The National Student Clearinghouse (NSC) has reported a data breach to the California Attorney General’s Office on behalf of the affected schools. The breach occurred on May 30, 2023, as a result of a cyberattack by the Cl0p ransomware gang, who exploited a zero-day security flaw in the MOVEit Transfer secure file transfer platform [2]. The unauthorized third party accessed personally identifiable information (PII) such as names, birth dates [7], contact information [1] [3] [5] [6] [7], Social Security numbers [1] [3] [6] [7], student ID numbers [1] [3] [6] [7], and school-related records [1] [3] [7]. While the exact number of affected students has not been disclosed [1], it is known that 890 schools were impacted.
NSC has taken immediate action to address the breach. They have patched the software, enhanced monitoring capabilities [3], and offered identity monitoring services to the victims for a period of two years at no cost. Additionally, NSC has provided a comprehensive list of the educational organizations impacted by the breach [1], including schools, colleges [1] [3] [4] [5], and universities across the United States [3].
The total cost of the breach is still being determined [3], but it is believed that numerous organizations [3], including the National Student Clearinghouse [1] [2] [3] [5] [6] [7], have been affected [3] [5], potentially impacting millions of users and customers worldwide [3]. The Cl0p gang is estimated to have collected millions of dollars in ransom payments [7].
The affected schools were notified about the breach in late June 2023 [1], although limited details were provided at the time due to an ongoing investigation. It is worth noting that the breach has also affected organizations globally, including governments [7], financial institutions [7], and pension systems [7].
Conclusion
The impact of the MOVEit hack on colleges and universities is significant, with nearly 900 institutions affected according to the National Student Clearinghouse. Over 51,000 individuals have been directly impacted by the breach, as reported by the non-profit organization. Emsisoft [5], a cybersecurity firm [5], has stated that a total of 2,053 organizations were impacted [5], affecting over 57 million individuals [5].
Progress Software [5] [6], the makers of MOVEit software [5], disclosed a critical zero-day vulnerability that allowed unauthorized access to customer data [5]. The National Student Clearinghouse has confirmed that certain files within their MOVEit environment were accessed [5], potentially containing information from student records [4] [5]. They have hired a third-party cybersecurity firm to investigate the breach and have also contacted law enforcement [5].
This breach highlights the importance of promptly addressing vulnerabilities and regularly updating software to prevent future attacks [5]. It serves as a reminder for educational organizations and other institutions to prioritize cybersecurity measures and protect sensitive data.
References
[1] https://www.helpnetsecurity.com/2023/09/25/clearinghouse-moveit-breach/
[2] https://www.redpacketsecurity.com/national-student-clearinghouse-data-breach-impacts-schools/
[3] https://www.infosecurity-magazine.com/news/us-900-schools-breached-moveit/
[4] https://www.darkreading.com/application-security/moveit-flaw-900-university-data-breaches
[5] https://www.scmagazine.com/news/nearly-900-colleges-hit-by-moveit-hack
[6] https://vulnera.com/newswire/national-student-clearinghouse-data-breach-affects-900-us-schools/
[7] https://www.campussafetymagazine.com/safety/national-student-clearinghouse-data-breach-nearly-900-schools-impacted/