Worldwide data breach may impact Idaho students, employees

A worldwide data breach of MOVEit Transfer software may impact the personal information of students and employees of Idaho higher education institutions maintained by the National Student Clearinghouse (NSC) and Teachers Insurance Annuity Association of America (TIAA), according to the Idaho State Board of Education.

The NSC serves as a data collaborative for the education community. It is authorized by higher education institutions nationwide to provide enrollment and degree data on their students to other entities that have a direct relationship with students, or which are working on behalf of such entities.

According to the state board:

Because the data breach involves a third-party vendor used by the National Student Clearinghouse and TIAA, there is nothing that students or institution employees need to do to secure their institution accounts or data. No systems managed by OSBE or Idaho’s public higher education institutions have been compromised.

To date, seven of Idaho’s public higher education institutions – North Idaho College, Lewis-Clark State College, the University of Idaho, College of Western Idaho, Boise State University, College of Southern Idaho and Idaho State University have been contacted by the NSC and notified that personally identifiable information about some students attending the institutions was compromised as a result of the data breach.

TIAA is one of two companies that administers the State Board of Education’s optional retirement plans for institution faculty and staff. TIAA informed the Office of the State Board of Education (OSBE) yesterday that personal information of institution employees may have been compromised including first and last name, address, date of birth and Social Security Number.

OSBE and Idaho’s public higher education institutions are monitoring the situation and will support NSC and TIAA’s efforts regarding notification to impacted students as information becomes available.

 NSC is providing information about its response at: alert.studentclearinghouse.org  

 Students are encouraged to monitor the website regularly for further information from the Clearinghouse.

 TIAA says affected individuals will receive a letter by mail offering free credit monitoring for two years.

OSBE and Idaho’s higher education institutions encourage students and employees to take steps to protect themselves from potential identity theft.

The Federal Trade Commission provides information about how to protect against identity theft: identitytheft.gov/databreach

Because the data breach involves a third-party vendor used by the National Student Clearinghouse and there is nothing that students or institution employees need to do to secure their institution accounts or data. No systems managed by OSBE or Idaho’s public higher education institutions have been compromised.

A data hacker apparently found a vulnerability in a file transfer tool called MOVE it Transfer, which serves as a third-party vendor used by both NSC and TIAA. The breach affects higher education institutions and businesses throughout the country.

Because NSC and TIAA uses MOVEit Transfer to transfer files containing personally identifiable information, the hacker was able to access and download some personally identifiable information held by both entities. OSBE and Idaho’s higher education institutions are waiting for more information from NSC and TIAA about the files that were compromised.

The NSC believes that its systems have since been secured against further intrusion. TIAA says the MOVEit Transfer vulnerability has not affected the company’s internal systems, and no information was obtained from TIAA’s systems.

More information about the data breach is available at: alert.studentclearinghouse.org