On July 14, 2023, the Idaho State Board of Education posted a notice of data on its website after learning that two of the Board’s vendors, the Teachers Insurance and Annuity Association (“TIAA”) and the National Student Clearinghouse (“NSC”), experienced data breaches related to the file-transfer software MOVEit. In this notice, Idaho Higher Education explains that the incident resulted in an unauthorized party being able to access students’ and employees’ sensitive information, which includes their full names, Social Security numbers, addresses and dates of birth. Upon completing their own investigations, TIAA and NSC will begin sending out data breach notification letters to all individuals whose information was affected by the recent data security incidents.
If you received a data breach notification from TIAA or the National Student Clearinghouse, it is essential you understand what is at risk and what you can do about it. Importantly, neither breach involved the computer systems of any Idaho university or college. However, student and employee information that was provided to TIAA and NSC by Idaho colleges and universities is still at risk. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the Idaho Board of Education data breach. For more information, please see our recent piece on the topic here.
What Caused the Data Breach Affecting Idaho Higher Education Students and Employees?
The data breach affecting Idaho’s colleges and universities was only recently announced, and more information is expected in the near future. However, Idaho Higher Education’s post entitled “WORLDWIDE DATA BREACH MAY AFFECT IDAHO HIGHER EDUCATION STUDENTS AND EMPLOYEES” provides some important information on what led up to the breach. According to this source, the Idaho Board of Education relies on TIAA to provide certain services related to employees. Additionally, the Idaho Board of Education relies on NSC to provide enrollment and degree data on their students.
To perform the services TIAA and NSC are contracted to carry out, Idaho colleges and universities must provide the companies with information about students and employees.
Evidently, the Idaho Board of Education recently learned that both TIAA and NSC experienced data breaches related to the companies’ use of the MOVEit file-sharing program. Progress Software, the developer of MOVEit, announced a critical and previously unknown vulnerability within MOVEit. This vulnerability allows unauthorized actors to access certain information contained within the organization’s MOVEit server.
The Idaho Board of Education was informed by NSC and TIAA that these companies are investigating the respective incidents and will continue to keep students and employees updated. However, at this point, the Idaho Board of Education reports that the incident may affect your full name, Social Security number, address and date of birth. However, the specific data types leaked will likely vary by individual.
According to the Idaho Board of Education, the following colleges and universities were affected by the TIAA and NSC MOVEit breaches:
- North Idaho College,
- Lewis-Clark State College,
- The University of Idaho,
- College of Western Idaho,
- Boise State University,
- College of Southern Idaho, and
- Idaho State University.
Again, both breaches affecting NSC and TIAA did not involve hackers accessing any computer system belonging to an Idaho institution of higher learning.
