National Student Clearinghouse MOVEit breach impacts nearly 900 schools

US educational nonprofit organization National Student Clearinghouse (NSC) has revealed that the breach of its MOVEit server ended up affecting almost 900 colleges and universities, and resulted in the theft of personal information of their students.

The National Student Clearinghouse MOVEit breach notice

NSC provides educational reporting, data exchange, verification, and research services to around 3,600 North American colleges and universities and 22,000 high schools.

NSC has filed a breach notification letter with the California Attorney General’s Office on behalf of the affected schools.

The notification letter informed affected students – whose total number has not been disclosed – about the security breach resulting from a cyberattack that exploited a vulnerability in the MOVEit managed file transfer solution.

“Through our investigation, on June 20, 2023, we learned that an unauthorized party obtained certain files from the MOVEit tool,” the data breach notice reads.

“The relevant files obtained by the unauthorized third party included personal information such as name, date of birth, contact information, Social Security number, student ID number, and certain school-related records (for example, enrollment records, degree records, and course-level data). The data that was affected by this issue varies by individual.”

NSC has also provided a list of the educational organizations affected by this breach.

The MOVEit hack

In late May 2023, the Cl0p ransomware/cyber extortion gang exploited an SQL injection vulnerability (CVE-2023-34362) in the widely used Progress Software’s MOVEit Transfer file transfer solution, which allowed them to access the underlying database.

The breach affected a great number of organizations, including governments, financial institutions, pension systems, and other public and private entities.

“The upstream/downstream in many MOVEit incidents is extremely complex, with some organizations being impacted because they used a vendor which used a contractor which used a subcontractor which used MOVEit. Additionally, some organizations have had MOVEit exposure via multiple vendors,” noted Emsisoft’s Zach Simas.

“This is especially true in the education sector with some institutions being affected by incidents involving the National Student Clearinghouse, the Teachers Insurance and Annuity Association of America-College Retirement Equities Fund (which was impacted by an incident at a vendor: PBI Research Services), as well as third party health insurance providers and other financial service providers.”

In late June, 2023, NSC notified the schools about the MOVEit breach, but did not provide many details as the investigation was still ongoing.

Dissent Doe at Databreaches.net noted at the time that NSC’s name “had been removed from Cl0p’s leak site, which is often an indication that a victim paid”.