National Student Clearinghouse and TIAA Notify SUNY Freedonia, CSU, and UB University at Buffalo of MOVEit Data Breach

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

Over the past few weeks, three large universities posted notices of third-party data breaches after learning that two of the Universities’ vendors, the Teachers Insurance and Annuity Association (“TIAA”) and the National Student Clearinghouse (“NSC”), used MOVEit, a file-transfer software that was recently discovered to contain a vulnerability allowing hackers to access information stored within the platform. While NSC and TIAA are still investigating the incidents, once they determine who was affected, they will begin sending out data breach notification letters to all affected parties.

If you are a student or employee at SUNY Freedonia, Colorado State University, or UB University at Buffalo and you receive a data breach notification from National Student Clearinghouse or TIAA, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the NSC / TIAA data breaches. For more information, please see our recent piece on the topic here.

What Caused the National Student Clearinghouse Breach?

The National Student Clearinghouse and TIAA data breaches were only recently announced, and more information is expected in the near future. And while the two breaches have their differences, they both involve MOVEit, a popular file transfer program.

MOVEit is a product of Progress Software. On May 31, 2023, Progress Software announced a zero-day vulnerability within MOVEit that allowed hackers to access information stored on various organizations’ MOVEit servers, including NSC’s. While TIAA did not use MOVEit, the organization provided confidential faculty information to one of its vendors, Pension Benefit Information (“PBI”), which used MOVEit to transfer that data. In other words, TIAA is a vendor used by colleges and universities, and PBI is a vendor used by TIAA.

Thus, while none of the aforementioned universities used MOVEit, because NSC and PBI used the program, sensitive student and faculty data was compromised.

Once NSC and PBI learned of the vulnerability and possible data breach, they launched their own investigations. These investigations confirmed that an unauthorized party obtained certain files transferred through their respective MOVEit environments, including files containing data that the organizations maintain on behalf of certain universities. The following universities were recently notified by NSC and TIAA that their students’ data was among that which was compromised:

  • UB University at Buffalo,
  • SUNY Freedonia, and
  • Colorado State University.

After learning that sensitive consumer data was accessible to an unauthorized party, National Student Clearinghouse and Pension Benefit Information began to review the compromised files to determine what information was leaked and which consumers were impacted. NSC and PBI are both still in the process of reviewing the affected data types and identifying which students were affected.

Once the National Student Clearinghouse and PBI complete their investigations, the companies will send out data breach letters to anyone who was affected by the recent data security incident.

Why Does the National Student Clearinghouse Have Students’ Confidential Information?

The National Student Clearinghouse is an organization that provides educational reporting, data exchange, and verification services to over 3,600 colleges and universities nationwide. To allow NSC to perform these services, colleges and universities must provide NSC with students’ confidential information.

Why Does TIAA Have Faculty Members Confidential Information?

TIAA provides retirement benefit services to colleges and universities, among other organizations. To allow TIAA to perform these services, colleges and universities must provide TIAA with employees’ confidential information.

More Information About National Student Clearinghouse

Founded in 1993, National Student Clearinghouse is an education verification and student educational outcomes research organization based in Herndon, Virginia. The organization oversees 97 percent of students enrolled in public and private higher education institutions and 70 percent of students enrolled in public and private high schools. National Student Clearinghouse employs more than 300 people and generates approximately $28 million in annual revenue.

More Information About the Teachers Insurance and Annuity Association of America

Founded in 1918 and based in New York City, New York, the Teachers Insurance and Annuity Association of America is a provider of financial services in the academic, research, medical, cultural and governmental fields. TIAA employs more than 15,800 people and generates approximately $40 billion in annual revenue.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide