On July 11, 2023, Washington State University (“WSU”) posted a notice on its website explaining that a third-party data breach leaked personally identifiable information belonging to current and prospective students as well as employees. In this notice, WSU explains that the incident involved two service providers, National Student Clearinghouse (“NSC”) and the Teachers Insurance and Annuity Association (“TIAA”), as well as one of TIAA’s vendors, Pension Benefit Information, LLC (“PBI”). WSU notes that NSC, TIAA, and PBI are expected to begin sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a data breach notification from Washington State University, NSC, TIAA or PBI, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the Washington State University data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting Washington State University Students and Employees?

The Washington State University data breach was only recently announced, and more information is expected in the near future. However, WSU’s July 11, 2023, post entitled "Third-party data breach impacts WSU community” sheds some light on the issue.

According to this source, several third-party vendors recently notified WSU of a cybersecurity incident that may have exposed personally identifiable information of students and employees. Evidently, the vendors were NSC and TIAA. NSC provides enrollment and degree verification services as well as student loan reporting requirements to WSC. TIAA provides financial services to WSU employees. In turn, WSU provides student and employee information to each of these organizations, as needed, so they can perform the necessary services.

Evidently, NSC uses MOVEit to transfer files. TIAA does not use MOVEit, but one of the company’s vendors, PBI, does. On May 31, 2023, the creator of MOVEit announced a zero-day vulnerability that allowed hackers to access certain organizations’ MOVEit servers. NSC and PBI were two of the many companies impacted by the MOVEit incident.

Thus, while WSU’s systems were not compromised, data provided to TIAA and NSC by Washington State University was compromised as a result of vulnerabilities in the MOVEit software.

Washington State University indicates that students affected by the National Student Clearinghouse data breach will be contacted by NSC. Additionally, employees affected by the Teachers Insurance and Annuity Association / Pension Benefit Information will be contacted by either TIAA or PBI.

More Information About Washington State University

Founded in 1890, Washington State University is a public land-grant research university based out of Pullman, Washington. WSU offers its more than 31,000 students a choice of bachelor's, master's and doctoral degrees in 200 fields of study through 65 different departments, schools, and programs. Washington State University employs more than 7,083 people and generates approximately $2.9 billion in annual revenue.