Utah State University has been notified by three vendors, the National Student Clearinghouse (NSC), TIAA, and the Hartford, that they have experienced a data breach in a file transfer software package called MOVEit made by Progress Software, and that this breach has impacted the data of some USU employees and students
Importantly, Utah State University does not use the MOVEit software and no systems operated or maintained by USU were breached. Still, the University is actively monitoring the situation and will share relevant future information it receives from NSC, TIAA and The Hartford.
Employees and students whose data was exposed in this breach will be contacted by mail by the NSC and Pension Benefit Information (PBI), which is a subcontractor to TIAA and the Hartford. This notice will include more information about the data impacted and also offer two years of complimentary credit monitoring and identity restoration services through Kroll.
Below is a list of frequently asked questions, which will be continuously updated as we receive more information.
What happened?
According to NSC, software provider Progress Software recently announced a security vulnerability related to its MOVEit Transfer product, potentially affecting thousands of organizations worldwide. According to Progress software, an unauthorized party discovered the vulnerability in the MOVEit Transfer software, which could allow unauthorized access to files being transferred using the tool. NSC has posted details about this incident on its website.
Based on NSC’s ongoing investigation, they have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that is maintained on behalf of some of its customers. NSC has indicated there is no evidence to suggest that the unauthorized party specifically targeted the Clearinghouse or any specific university.
According to TIAA, the incident involves the MOVEit Transfer software used by their vendor, Pension Benefit Information, LLC (PBI), to match personal data against death notices for TIAA's death claim and beneficiary processes. TIAA has informed us that their systems remain unaffected, and no unusual activity in TIAA accounts has been observed, and that their systems are not susceptible to the security vulnerability associated with this incident.
According to The Hartford, in May, Progress Software reported a vulnerability in their MOVEit Transfer software exploited by cybercriminals. However, The Hartford has stated that they don't use this software, so their systems remained unaffected. Pension Benefit Information, LLC (PBI), a vendor used by The Hartford's Group Benefits business, was impacted, and customer data was compromised. According to the Hartford, the breach did not involve personal health information. The Hartford is closely collaborating with PBI to identify and support impacted customers and employees.
What this means for USU
No systems operated or maintained by USU were breached. We are providing this information so everyone in our community can take steps to protect their personal information.
USU takes data privacy and information security very seriously and this matter is of utmost and vital importance to the university. USU is actively evaluating the extent of the impact on students and employees.
What personal information was involved and who was impacted?
The information that may have been compromised includes both employee and student records.
- The National Student Clearinghouse stated that the affected data includes information from the student record database for current or former students.
- TIAA and The Hartford have reported that the data compromised using PBI includes first and last names, addresses, dates of birth, genders, and Social Security Numbers of individuals.
What measures are being taken by National Student Clearinghouse?
- Upon identifying this vulnerability, the NSC launched an investigation and took steps to secure relevant systems. Their investigation determined that an unauthorized party obtained files which contained personal information that is maintained on behalf of member organizations.
- The Clearinghouse promptly took measures to protect customer data and its systems by applying the relevant security patches and diligently following guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
- As a precautionary measure, to prevent the occurrence of further data breaches, NSC rebuilt the Clearinghouse’s entire MOVEit environment, using new installations of the latest operating systems as well as installing a clean copy of the latest version of the MOVEit Transfer application.
- The NSC is conducting a third-party forensic review to identify affected institutions and their specific students.
- The NSC will inform any affected college of any compromised student data.
What measures are being taken by TIAA and The Hartford?
The Hartford has reported taking action to verify PBI's software vulnerability remediation, ensuring no further impact on their systems. They are currently collaborating with PBI to identify affected employees of The Hartford's Group Benefits customers. PBI will directly notify impacted individuals and provide credit monitoring and Identity Theft Restoration services. These notices will be sent starting July 31, 2023. The Hartford expresses confidence in continuing to use PBI, as they have implemented necessary safeguards and conducted thorough investigations to address the software vulnerability.
TIAA has also reported taking immediate action in response to the incident, ensuring that those affected will receive letters from PBI offering complimentary two-year credit monitoring. Law enforcement has been informed, and TIAA's Information Security experts are working closely with the vendor to address the issue. The incident response team is actively engaged, dedicated to resolving the situation promptly. Additionally, TIAA provided Cyber Tips to assist participants in enhancing their online security.
Please note that PBI will notify the impacted individuals directly and offer two years of complimentary credit monitoring and identity restoration services through Kroll.
Things you can do to protect yourself
- Be extra vigilant: It is possible that cybercriminals may leverage stolen personal information from this attack to craft convincing phishing attacks in the coming weeks and months. An email, notice, or text message containing accurate information about you or one of your accounts is not enough to verify authenticity. Verify the source of a message before responding. Take note of how to identify a phishing attack. Phone calls may also be used to obtain personal or financial information.
- Monitor your financial accounts and credit:It is always wise to monitor your credit report for unusual activity. Consider putting a credit freeze in place to frustrate would-be scammers if you believe you are being targeted.
- Secure your accounts:Remember to enable two-factor authentication and to use long passphrases for all of your accounts. Never give someone your password or a two-factor code if asked for it, even if they claim to be from a trusted organization.
- Update your Banner Account: Keep you Banner account updated to ensure you receive
important notices.