MOVEit fallout continues as National Student Clearinghouse says nearly 900 schools affected
The National Student Clearinghouse (NSC) reported that nearly 900 colleges and universities across the U.S. had data stolen during attacks by a Russia-based ransomware gang exploiting the popular MOVEit file-sharing tool.
The nonprofit manages educational reporting, data exchange, verification, and research services for 3,600 colleges and universities as well as 22,000 high schools.
Dozens of schools published notices confirming that student and alumni data was accessed in the breach but it was never clear just how many colleges or universities were affected.
In filings with California regulators last week, the National Student Clearinghouse provided a list of affected schools totalling nearly 890 — covering almost every state and including several of the largest, most prominent universities in the U.S.
The U.S. Department of Education requires 3,600 colleges and universities nationwide to use the MOVEit tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools.
The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.
NSC says it notified law enforcement after discovering the incident and told regulators in Maine on August 31 that it is sending breach notification letters to 51,689 people. NSC also sent letters to each school affected by the breach.
“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” NSC said in an advisory released this summer. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”
The attack on NSC was one of several involving MOVEit that had wide-ranging downstream effects. The Clop ransomware gang targeted several organizations with connections to other companies or businesses, including PBI Research Services and the Teachers Insurance and Annuity Association of America (TIAA).
Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Several class action lawsuits have been filed against Progress Software, the company behind MOVEit.
Sean Matt, one of the lawyers behind the lawsuits, called it a “cybersecurity disaster of staggering proportions.”
“Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern,” he said.
“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect.”
North of the border
Cybersecurity researchers believe the Clop gang has ended up netting anywhere from $75 million to $100 million just from the MOVEit campaign — with that sum “coming from just a small handful of victims that succumbed to very high ransom payments.”
“This is a dangerous and staggering sum of money for one, relatively small group to possess,” researchers from Coveware said in July. “For context, this amount is larger than the annual offensive security budget of Canada.”
Canada specifically faced several issues related to the MOVEit campaign. Last week, the government of Nova Scotia said it was forced to spend more than $2 million notifying over 165,000 people that their personal information was stolen and providing them with credit monitoring services.
On Monday, BornOntario — the government-funded birth registry for Ontario — reported that the personal health information of approximately 3.4 million people who interacted with the organization over the last decade was accessed through the MOVEit vulnerability.
“The personal health information that was copied was collected from a large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023,” the organization said in a notice.
“At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes. We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale.”
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.