On July 7, 2023, the University of Dayton (“UD”) posted a website notice informing students and faculty of a data security incident involving two of UD’s major service providers. In this notice, UD explains that the incident involved the National Student Clearinghouse (“NSC”) and the Teachers Insurance and Annuity Association (“TIAA”) and resulted in an unauthorized party being able to access sensitive information belonging to students and former faculty members. Upon completing its investigation, NSC and TIAA are expected to begin sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a data breach notification from the National Student Clearinghouse or the Teachers Insurance and Annuity Association, it is essential you understand what is at risk and what you can do about it. While this incident did not impact UD’s computer network, it did involve confidential information provided to NSC and TIAA. This necessarily increases victims’ risk of experiencing identity theft and other frauds. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the University of Dayton data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach University of Dayton Students and Faculty?

The University of Dayton data breach was only recently announced, and more information is expected in the near future. However, UD’s website notice, entitled “Alert about third party data incident affecting University community,” sheds some light on the issue.

Both the National Student Clearinghouse and the Teachers Insurance and Annuity Association informed the University of Dayton that confidential information provided by UD was subject to unauthorized access. Evidently, both incidents involved a file transfer software called MOVEit, which is used by NSC and TIAA. MOVEit is a product developed by Progress Software. In late May 2023, Progress identified a zero-day vulnerability within MOVEit which allowed unauthorized parties to access information contained within the program.

The University of Dayton’s notice explains that the NSC data breach involved undergraduate and graduate student records, while the TIAA data breach involved former employees and retirees. The University of Dayton does not use MOVEit, and none of the school’s computer systems were affected by the breach.

On July 7, 2023, the University of Dayton posted notice of these two cybersecurity incidents to inform students and faculty; however, UD notes that NSC and TIAA are investigating the incidents and will provide individual notice to those who were affected.

More Information About the University of Dayton

Founded in 1850, the University of Dayton is a private Roman Catholic research university located in Dayton, Ohio. UD offers over 80 academic programs in the arts, sciences, business administration, education, health sciences, engineering and law. The University of Dayton enrolls approximately 11,300 students annually. The University of Dayton employs more than 2,650 people and generates approximately $296 million in annual revenue.