The ongoing cyberattack exploiting MOVEit file-transfer software has taken a toll on U.S. colleges and universities.
At least 30 institutions have been notified that personal information of students and employees may have been exposed through vendors — including the Teachers Insurance and Annuity Association of America, or TIAA — that use MOVEit or have a service provider that does, according to statements from the schools.
The impacted colleges and universities include Stony Brook University, Middlebury College, Rutgers University, Loyola University Chicago, Trinity College in Connecticut, Colorado State University, the University of Dayton and the University of Alaska.
Given the nature of the attack, many more institutions may have had data exposed, cybersecurity experts said.
The colleges and universities are among dozens, perhaps hundreds, of companies and organizations that were impacted by a Russian-speaking gang that exploited a flaw in a popular file-transfer product to steal data.
In addition to the schools that were affected via vendors, some others, including the University of California, Los Angeles and the University of Georgia, were ensnared because they used MOVEit's platform, according to statements from the institutions.
The impact on the higher education sector shows the potential ripple effects of software breaches — TIAA, for instance, didn't use MOVEit but an outside vendor did — and the widening repercussions of the MOVEit attacks.
Clop, the hacking group that has claimed credit for the attack, demands money from hacking victims in exchange for not publishing stolen information from victim organizations online.
More Details on the Hack
In this instance, it doesn't appear any significant data has been leaked yet from the colleges and universities. Clop shared links to download files on three of the universities it claimed to have breached, but Bloomberg News couldn't verify the contents.
It's not known if any of the schools paid a ransom to the hackers. Some of the institutions that were hit are still trying to figure out the extent of the breaches.
"New details are emerging daily from MOVEit and other third-party vendors, so the university does not yet have complete information about the extent to which our data was involved, including details about what university data may have been part of the incident" Colorado State University said in statement.
Middlebury and Dayton confirmed that some data was exposed, while Stony Brook, Rutgers, Loyola, Trinity and Alaska said they were informed of a possible exposure.
Many of the affected colleges and universities learned about the cyberattacks after being alerted by TIAA, the National Student Clearinghouse, or other vendors.
Colorado State, for instance, was notified of potential data exposure by both TIAA and NSC, along with four other vendors, according to a university statement.
The National Student Clearinghouse said in a statement that hackers obtained files transferred through its MOVEit system, including some maintained for customers. Rutgers, for instance, said it was notified of a cybersecurity issue by the Clearinghouse.
"At this point, the impact on Rutgers information is unclear," according to a statement from the university. "Rutgers administrators are monitoring the issue closely."
TIAA Details
TIAA said a vendor, PBI Research Services, used MOVEit and experienced a "cybersecurity incident." PBI confirmed the breach in a statement. TIAA, which provides investment and insurance services, said it had been in contact with impacted institutions.
Third-party data exposures are "extremely complex," said Brett Callow, a threat analyst for the cybersecurity firm Emsisoft. "Some companies and organizations will invariably have had exposure via third parties and not realize it."
"It's very hard to say because we don't know exactly what information is being extracted, how much of it there is, what other information it could potentially be paired with," he said.