The ongoing cyberattack exploiting MOVEit file-transfer software has taken a toll on US colleges and universities.
At least 30 institutions have been notified that personal information of students and employees may have been exposed through vendors — including the Teachers Insurance and Annuity Association of America, or TIAA — that use MOVEit or have a service provider that does, according to statements from the schools.
The impacted colleges and universities include Stony Brook University, Middlebury College, Rutgers University, Loyola University Chicago, Trinity College in Connecticut, Colorado State University, the University of Dayton and the University of Alaska.
Given the nature of the attack, many more institutions may have had data exposed, cybersecurity experts said.
The colleges and universities are among dozens, perhaps hundreds, of companies and organizations that were impacted by a Russian-speaking gang that exploited a flaw in a popular file-transfer product to steal data. In addition to the schools that were affected via vendors, some others, including the University of California, Los Angeles and the University of Georgia, were ensnared because they used MOVEit’s platform, according to statements from the institutions.
The impact on the higher education sector shows the potential ripple effects of software breaches — TIAA, for instance, didn’t use MOVEit but an outside vendor did — and the widening repercussions of the MOVEit attacks.
Clop, the hacking group that has claimed credit for the attack, demands money from hacking victims in exchange for not publishing stolen information from victim organizations online. In this instance, it doesn’t appear any significant data has been leaked yet from the colleges and universities. Clop shared links to download files on three of the universities it claimed to have breached, but Bloomberg News couldn’t verify the contents.
It’s not known if any of the schools paid a ransom to the hackers.
Some of the institutions that were hit are still trying to figure out the extent of the breaches.
“New details are emerging daily from MOVEit and other third-party vendors, so the university does not yet have complete information about the extent to which our data was involved, including details about what university data may have been part of the incident” Colorado State University said in statement. Middlebury and Dayton confirmed that some data was exposed, while Stony Brook, Rutgers, Loyola, Trinity and Alaska said they were informed of a possible exposure.
Many of the affected colleges and universities learned about the cyberattacks after being alerted by TIAA, the National Student Clearinghouse, or other vendors. Colorado State, for instance, was notified of potential data exposure by both TIAA and NSC, along with four other vendors, according to a university statement.
The National Student Clearinghouse said in a statement that hackers obtained files transferred through its MOVEit system, including some maintained for customers. Rutgers, for instance, said it was notified of a cybersecurity issue by the Clearinghouse. “At this point, the impact on Rutgers information is unclear,” according to a statement from the university. “Rutgers administrators are monitoring the issue closely.”
TIAA said a vendor, PBI Research Services, used MOVEit and experienced a “cybersecurity incident.” PBI confirmed the breach in a statement. TIAA, which provides investment and insurance services, said it had been in contact with impacted institutions.
Third-party data exposures are “extremely complex,” said Brett Callow, a threat analyst for the cybersecurity firm Emsisoft. “Some companies and organizations will invariably have had exposure via third parties and not realize it.”
“It’s very hard to say because we don’t know exactly what information is being extracted, how much of it there is, what other information it could potentially be paired with,” he said.
Clop, which is also known as Cl0p, exploited a flaw in MOVEit software that allowed them to access sensitive customer data from some customers.
“The reality today is that sophisticated cybercriminal groups are executing highly complex campaigns at an increasingly rapid rate,” said John Eddy, a spokesperson for Progress Software Corp., which markets MOVEit. “While no one is immune, our primary goal is to work to address the security and safety of our customers.”
Clop has claimed credit for breaching more than 381 organizations on its dark web page, according to Callow. While the number is difficult to confirm, several dozen companies and organizations have publicly acknowledged being impacted, including Ernst & Young, the government of Nova Scotia, the Minnesota Department of Education and the British communications regulator Ofcom.
More potential victims keep emerging. On Wednesday, Allegiant Air said an authorized party obtained data — including from current and former employees and one customer — by using the MOVEit vulnerability.
How Clop-MOVEit Hack Shows Evolution in Cyberattacks: QuickTake
The financial services sector has also been impacted, with at least 11 institutions reporting that data may been exposed. Some of the affected firms, including Indiana-based First Merchants Bank, have said that personal information such as names, contact details, account numbers and social security numbers may have been exposed.
A spokesperson for Texas-based PlainsCapital Bank, which was also ensnared by the MOVEit attacks, said via email that the incident is receiving the highest level of attention at the company. The company’s investigation hasn’t found any indication that customer information has been used to commit identity theft or fraud, a spokesperson said early July.
As is the case with higher education, financial institutions regularly handle sensitive data, raising the stakes for hacks involving information theft. “Almost everybody in the world has some sort of bank account, mortgage, student loan, credit card, whatever it might be,” said Teresa Walsh, global head of intelligence at the Financial Services Information Sharing and Analysis Center, known as FS-ISAC, an industry group that shares cyber intelligence among financial institutions around the world.
The National Student Clearinghouse is a nonprofit that provides degree and enrollment verification and research services. The group has 3,600 participating colleges and universities, representing 97% of students in public and private institutions, according to the organization’s website. The Clearinghouse provides enrollment status, and other student information, to lenders, servicers and the US Department of Education on behalf of institutions.
The data exposed “may have included information from the student record database on current or former students,” the Clearinghouse said in a statement.
It’s not known how many of the colleges and universities that report data to the Clearinghouse were caught up in the attacks. A Clearinghouse spokesperson declined to comment on the matter.
James Shreve, chair of the cybersecurity practice at law firm Thompson Coburn LLP, said he’d be surprised if all 3,600 schools were impacted, but that the possibility couldn’t be ruled out.
“One of the unfortunate things about incidents like this is that a school is dependent on what they’re being told by NSC and TIAA,” Shreve said, “and that investigation is ongoing.”
--With assistance from Tanaz Meghjani, Marnie Muñoz and Margi Murphy.
(Adds additional information in the sixth paragraph and 12th paragraph.)