Over the past few weeks, three large universities posted notices of third-party data breaches after learning that two of the Universities’ vendors, the Teachers Insurance and Annuity Association (“TIAA”) and the National Student Clearinghouse (“NSC”), used MOVEit, a file-transfer software that was recently discovered to contain a vulnerability allowing hackers to access information stored within the platform. While NSC and TIAA are still investigating the incidents, once they determine who was affected, they will begin sending out data breach notification letters to all affected parties.
If you are a student or employee at SUNY Freedonia, Colorado State University, or UB University at Buffalo and you receive a data breach notification from National Student Clearinghouse or TIAA, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the NSC / TIAA data breaches. For more information, please see our recent piece on the topic here.
What Caused the National Student Clearinghouse Breach?
The National Student Clearinghouse and TIAA data breaches were only recently announced, and more information is expected in the near future. And while the two breaches have their differences, they both involve MOVEit, a popular file transfer program.
MOVEit is a product of Progress Software. On May 31, 2023, Progress Software announced a zero-day vulnerability within MOVEit that allowed hackers to access information stored on various organizations’ MOVEit servers, including NSC’s. While TIAA did not use MOVEit, the organization provided confidential faculty information to one of its vendors, Pension Benefit Information (“PBI”), which used MOVEit to transfer that data. In other words, TIAA is a vendor used by colleges and universities, and PBI is a vendor used by TIAA.
Thus, while none of the aforementioned universities used MOVEit, because NSC and PBI used the program, sensitive student and faculty data was compromised.
Once NSC and PBI learned of the vulnerability and possible data breach, they launched their own investigations. These investigations confirmed that an unauthorized party obtained certain files transferred through their respective MOVEit environments, including files containing data that the organizations maintain on behalf of certain universities. The following universities were recently notified by NSC and TIAA that their students’ data was among that which was compromised:
- UB University at Buffalo,
- SUNY Freedonia, and
- Colorado State University.
After learning that sensitive consumer data was accessible to an unauthorized party, National Student Clearinghouse and Pension Benefit Information began to review the compromised files to determine what information was leaked and which consumers were impacted. NSC and PBI are both still in the process of reviewing the affected data types and identifying which students were affected.
Once the National Student Clearinghouse and PBI complete their investigations, the companies will send out data breach letters to anyone who was affected by the recent data security incident.
Why Does the National Student Clearinghouse Have Students’ Confidential Information?
The National Student Clearinghouse is an organization that provides educational reporting, data exchange, and verification services to over 3,600 colleges and universities nationwide. To allow NSC to perform these services, colleges and universities must provide NSC with students’ confidential information.
Why Does TIAA Have Faculty Members Confidential Information?
TIAA provides retirement benefit services to colleges and universities, among other organizations. To allow TIAA to perform these services, colleges and universities must provide TIAA with employees’ confidential information.
More Information About National Student Clearinghouse
Founded in 1993, National Student Clearinghouse is an education verification and student educational outcomes research organization based in Herndon, Virginia. The organization oversees 97 percent of students enrolled in public and private higher education institutions and 70 percent of students enrolled in public and private high schools. National Student Clearinghouse employs more than 300 people and generates approximately $28 million in annual revenue.
More Information About the Teachers Insurance and Annuity Association of America
Founded in 1918 and based in New York City, New York, the Teachers Insurance and Annuity Association of America is a provider of financial services in the academic, research, medical, cultural and governmental fields. TIAA employs more than 15,800 people and generates approximately $40 billion in annual revenue.