As of June 16, Progress, a business application software, has announced a flurry of new patches for a vulnerability in its large data file transfer service, MOVEit Transfer. However, the fixes could not come quickly enough, as multiple higher education institutions and affiliated organizations have announced data breaches.
Institutions that directly purchased MOVEit Transfer with the aim of storing and transferring sensitive data—and were thus exposed to the compromise—include the University System of Georgia and Johns Hopkins University. At the latter, the cyber breach may have impacted members’ sensitive personal and financial information, including names, contact information and health billing records, according to a school statement. Georgia’s statewide system, which covers over 340,000 students across a dozen state colleges and universities, last said it was still evaluating the “severity of this potential data exposure,” according to Fox 5 Atlanta.
Several other colleges—including Webster University, Trinity College, Middlebury College and St. Mary’s University—don’t use MOVEit Transfer but were compromised due to their affiliations with the National Student Clearinghouse Research Center and/or TIAA, a retirement financial service that benefits higher education faculty. NSCRC said potentially compromised data includes “information from the student record database.”
“Based on our ongoing investigation, we have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that we maintain on behalf of some of our customers,” announced National Student Clearinghouse Research Center.
TIAA’s data breach is due to the exploitation of one of its vendors that it shares information with, PBI Research Services. Consequently, hackers had the opportunity to gain sensitive information such as names, Social Security numbers and birth dates. Middlebury College has since confirmed that its data was breached.
Hackers reached two more retirement services affecting higher education faculty. The California Public Employees’ Retirement System (CalPERS) extends to University of California employees. Additionally, the California State Teachers’ Retirement System (CalSTRS), the largest teacher retirement system, includes more than 940,000 state public educators.
“This external breach of information is inexcusable,” said CalPERS Chief Executive Officer Marcie Frost in a statement. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
Russian ransomware syndicate Clop (also spelled CL0P or ClOp) has taken responsibility for MOVEit Transfer’s security breach. Aside from claiming NSCRC as one of its first victims, it also claimed United Healthcare Student Resources. However, the scope of the attack extends beyond the education sector. Brett Callow, threat analyst at security firm Emsisoft, posits that at least 33 data breaches have been disclosed so far, affecting more than 200 organizations and 17.5 million people, according to TechCrunch.