New Details Provided for 270k Records Leaked in National Student Clearinghouse MOVEit Event
Table of Contents
- By Steven
- Dec 19, 2023
The National Student Clearinghouse (NSC) is a provider of comprehensive skill sets; they work to better prepare students for success through grade school and during the transition into the workforce. Dubbed “the K-20 to Workforce Continuum,” NSC’s services have assisted thousands of individuals in achieving academic and career distinctions. These same individuals may now be at risk for information misuse, however. The NSC is another victim of the global MOVEit data breach event.
How Did the Attack Occur?
Progress Software’s MOVEit tool allows for managing and transferring files between otherwise differing systems. It is software used by industries worldwide, from healthcare to logistics companies and everything in between. Their prominent stature as a vendor service provider made them a target for cybercriminals in May 2023. Until then, MOVEit had been operating with a zero-day system vulnerability unknown to experts. The vulnerability allowed threat actors to sneak into the systems of organizations without detection. Progress Software has since fixed the vulnerability, but thousands of organizations have discovered the event’s consequences.
What Information Was Viewed or Stolen?
According to the notice published on the Maine Attorney General’s website, the information exposed in this event included personal data. The information exposed differs between individuals and is not limited to only students. There may be data from educational institutions, alumni, employers, and other organizations involved. Moreover, the compromised data may include full names, contact information, birthdays, Social Security Numbers, student ID numbers, and various school records (including enrollments, degree histories, and course-level details). Subsequently, all those who have worked with the NSC must consider data protective services immediately.
How Did National Student Clearinghouse Admit to the Breach?
The NSC was presumably unaware of the incident until Progress Software’s May 31st, 2023 announcement. NSC immediately began an internal investigation confirming that an unauthorized actor had accessed their systems in the previous days. Their investigation concluded around June 20th, after which officials began to notify the appropriate parties. Public notices have been sent by officials four times since: once in August, September, November, and most recently, at the beginning of December.
What Will Become of the Stolen Information?
How the cybercriminals plan to use the stolen credentials and their motivations are unclear. The impact figure of this breach is estimated to be the data of 271,496 individuals. Apart from impersonation plots (generating even more usable data), the assailants could use the sensitive data for fraudulent activities. Financial and identity accounts could be opened in the data owner’s name, opening them to the risk of account misuse. Some victims may even find themselves blackmailed by the data—a situation only the authorities can help mitigate.
What Should Affected Parties Do in the Aftermath of the Breach?
In typical data breaches, the first step is to change passwords and update permissions with multi-factor authenticators; however, this breach contains primary data that individuals cannot easily change. Due to the sensitive nature of the exposed data, individuals cannot wait to see if their data is compromised; they must act as if they know it is and take preventative actions to protect it. In this case, investing in account monitoring services is the best course of action. They cannot stop the criminal misuse of data within accounts but can immediately notify the data owner of its misuse; this is the best way to prepare for the inevitable and mitigate any potential consequences.