Summary of the Event

The National Student Clearinghouse (the “Clearinghouse”) uses MOVEit Transfer, a tool offered by software provider Progress Software, to support the transfer of files. A security vulnerability in MOVEitTransfer enabled unauthorized access to files transferred through the tool. Upon learning of the vulnerability, the Clearinghouse promptly launched an investigation to understand its impact on the Clearinghouse and our customers. The investigation revealed that an unauthorized third party obtained certain files transferred through the MOVEit software, including files containing personal information that the Clearinghouse maintains on behalf of our customers. The affected files were then analyzed to determine the individuals whose personal information appeared in the files and the data providers who submitted that information to the Clearinghouse.
Please read this page carefully as it contains important information about what data was impacted and what you may need to do.

Details of Event


On May 31, 2023, third-party software provider Progress Software announced a security vulnerability related to its MOVEit Transfer software, potentially affecting thousands of organizations worldwide. MOVEit Transfer is a software tool used by many organizations, including the Clearinghouse, to support the transfer of files. According to Progress Software, an unauthorized third party discovered a vulnerability in the MOVEit Transfer software that could allow unauthorized access to files transferred through the tool.

Upon learning of this vulnerability, the Clearinghouse promptly launched an investigation and took steps to secure our relevant systems. We reported the issue to law enforcement and worked with leading cybersecurity experts to understand the impact of the issue on our organization and our customers. The Clearinghouse acted promptly to protect our systems and our customers’ data by applying the relevant security patches and following guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and other cybersecurity experts. As a precautionary measure, we rebuilt the Clearinghouse’s entire MOVEit environment, and we have implemented additional monitoring measures to help us identifyany further activity associated with the issue.

Based on the investigation, we determined that an unauthorized third party obtained certain files transferred through the MOVEit Transfer software, including files containing personal information that the Clearinghouse maintains on behalf of our customers. The unauthorized party obtained the files onor around May 30, 2023. Although the Clearinghouse began our internal investigation promptly after learning of the vulnerability on May 31, 2023, we did not learn until June 20, 2023 that certain files had been accessed by an unauthorized party. Since then, the Clearinghouse has been working diligently to understand the nature and scope of the affected files, and communicating with relevant dataproviders regarding the incident and the steps we are taking in response to the incident. We initiated a two-phased review of the affected files with the assistance of a third-party vendor. During the first phase, the data providers whose information appeared in the files were identified. The second phase involved identifying the individuals whose personal information appeared in the files, determining the types of personal information in the files, and connecting such information to the data provider thatsubmitted it to the Clearinghouse.

The Clearinghouse is provided NICC with the names of the individuals associated with our organization whose personal information was identified in the affected files. The individuals will be identified by their names as they appeared in the affected files.

In some of the affected files, personal information such as Social Security numbers, studentidentification numbers, or dates of birth appeared. However, the individuals identified at NICC did not have a Social Security number, student identification number, or date of birth from our organization appearing in the affected files. For the individuals identified, the types of affected personal information may include names, contact information, and educational information such as enrollment, degree, and course-level data (for example, from transcripts and PostsecondaryData Partnership reports), although the types of information vary by individual.

https://alert.studentclearinghouse.org/  

National Clearinghouse Frequently Asked Questions

An unauthorized third party discovered a security vulnerability in software provider Progress Software’s MOVEit Transfer tool, which allowed unauthorized access to files transferred through the tool. The unauthorized party exploited the vulnerability to gain unauthorized access to theClearinghouse’s MOVEit environment and to obtain certain files, including files containing personal information that the Clearinghouse maintains on behalf of our customers.

Progress Software announced the security vulnerability on May 31, 2023, and the Clearinghouse promptly launched an investigation to understand the impact of the vulnerability on our organization and our customers. On June 20, 2023, the investigation revealed that an unauthorized third party obtained files from the Clearinghouse’s MOVEit environment on or around May 30, 2023.

Yes, the Clearinghouse promptly reported the event to law enforcement.

The files obtained by the unauthorized third party included personal information that the Clearinghouse maintains on behalf of our customers. The personal information pertains to current and former students of educational institutions and customers of education finance organizations. For the individuals identified in the list available, the types of affected personal information may include names, contact information, and educational information such as enrollment, degree, and course-level data (for example, from transcripts and Postsecondary Data Partnership reports). The types of personal information that were included in the files varied by individual.
In some of the affected files, personal information such as Social Security numbers, student identification numbers, or dates of birth appeared. However, the individuals identified at NICC did not have a Social Security number, student identification number, or date of birth from your organization appearing in the affected files.

Upon learning of the vulnerability in the MOVEit Transfer software, the Clearinghouse promptly launched an investigation and took steps to secure our relevant systems. We reported the issue to law enforcement and worked with leading cybersecurity experts to understand the impact of the issue on our organization and our customers.

Once we learned that certain files were obtained by an unauthorized party, the Clearinghouse began working with a third-party vendor to review and analyze the relevant files. This review involved two phases. During the first phase, the vendor identified the data providers whose information appeared inthe affected files, enabling the Clearinghouse to notify impacted data providers. During the second phase, the vendor identified the individuals whose personal information appeared in the affected files,determined the types of personal information in the files, and connected such personal information to the data provider that submitted it to the Clearinghouse. The Clearinghouse provided information derived from the review and analysis of the affected files.

We believe the issue is contained based on the significant measures we have taken to further strengthen the security of our systems and our customers’ data. The Clearinghouse applied the relevant security patches issued by Progress Software, and followed guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, Mandiant, Microsoft, and other cybersecurity experts. As a precautionary measure, were built the Clearinghouse’s entire MOVEit environment, so that our customers’ data is entering into a newly built, pristine environment that was never accessed by the unauthorized third party. We have also implemented additional monitoring measures to help us identify any further activity associated with this issue.

The Clearinghouse has been communicating regularly with data providers about the MOVEit Transfer issue and providing updates on the related investigation. We notified data providers after learning that the issue involved certain information they may have provided to us. Since then, we have continued to communicate with impacted data providers about the ongoing review and analysis of the affected files and the support that the Clearinghouse is offering to data providers.

In a recent communication sent to NICC, the Clearinghouse indicated that we would be providing you with access to a portal and the list of individuals available in the portal.
Because no Social Security numbers, student identification numbers, or dates of birth provided by your organization were identified for the individuals identified in the portal, NSC will not notify individuals on NICC’s behalf. Therefore, the Clearinghouse is not asking NICC to take any action with respect to the individuals identified within this list.