A recent worldwide data incident has compromised a large number of organizations, including the National Student Clearinghouse. The Utah System of Higher Education contracts with the Clearinghouse for its services on behalf of all USHE institutions, and USHE institutions provide student information to the Clearinghouse directly to support financial aid administration. The Clearinghouse has notified several USHE institutions that personally identifiable information about students enrolled at those institutions, maintained by the Clearinghouse on behalf of those institutions, was disclosed in this incident.
What is Being Done About This Incident?
USHE and its institutions are actively monitoring the situation and are committed to assessing and addressing the potential ramifications of this incident. Due to the national scope of this incident and the location of the data systems that were compromised, the Clearinghouse is the focus of response to this incident. They are providing information about their response at alert.studentclearinghouse.org. Affected students may receive further communications from the Clearinghouse directly.
The Clearinghouse has informed institutions that they can submit data to the Clearinghouse securely following the Clearinghouse’s threat containment efforts using a new, secure data transfer environment that was never accessed by the unauthorized third party. To protect students from further unauthorized access, all USHE institutions, whether or not they were affected by the incident, are communicating with the Clearinghouse in this environment.
In addition to the Clearinghouse’s response, affected institutions are notifying affected students directly and bringing attention to communications the Clearinghouse has distributed in compliance with their obligations under the Gramm-Leach-Bliley Act.
Affected institutions may notify students of additional actions that the institution takes in response to this incident.
What Can Students Do to Protect Themselves?
Because this incident involves the National Student Clearinghouse’s systems and not USHE’s or any USHE institution’s, there is nothing more that students need to do to secure their institutional accounts or data.
In accordance with federal guidelines for protection against identity theft after a data incident, USHE encourages affected students to remain vigilant about potential indications of identity theft over the next 12 to 24 months and to report suspected identity theft incidents to their institutions and, if appropriate, law enforcement authorities.
The Federal Trade Commission (FTC) provides useful information to help protect affected students from identity theft at identitytheft.gov/databreach. If affected students find that their personal information has been misused, they can visit the FTC’s site at IdentityTheft.gov to report the identity theft and get recovery steps.
As always, USHE recommends that students practice good data security habits and adhere to their institution’s recommended security practices.
What is the National Student Clearinghouse?
The National Student Clearinghouse is a non-governmental organization that coordinates enrollment reporting and verification for most colleges and universities in the United States. The Clearinghouse plays a major role in managing in-school student loan deferrals for students who transfer to or continue their education at another institution after taking out a federal student loan. Institutions are authorized to provide information to the Clearinghouse in connection with financial aid administration under the Family Education Rights and Privacy Act (FERPA). USHE contracts with the Clearinghouse for its services on behalf of all USHE institutions, and institutions provide student information to the Clearinghouse directly to support financial aid administration.
What Happened to the Clearinghouse’s Data?
Clearinghouse data systems were compromised when an unauthorized third party exploited a vulnerability in MOVEit Transfer, a common file transfer tool. The exploit has affected a large number of businesses, organizations, government agencies, and educational institutions, allowing the third party to intercept data transferred using Moveit Transfer. Because the Clearinghouse uses MOVEit Transfer to transfer files containing personally identifiable information necessary for the Clearinghouse to perform its functions, the third party was able to access and download some student information held by the Clearinghouse. This included data files transferred from several USHE institutions that contained personally identifiable information about those institutions’ students. The exact information and students affected depends on the files that were compromised, which are specific to each institution. USHE and affected institutions are awaiting more information from the Clearinghouse regarding the files compromised.
This data incident involved only the Clearinghouse’s data systems. No systems managed by USHE or any institutions have been compromised, and no institutional data that was not sent to the Clearinghouse has been affected. The Clearinghouse believes that its systems have been secured against further intrusion.
For more information about the incident, visit alert.studentclearinghouse.org.
The MOVEit Transfer vulnerability has also affected at least one USHE institution through its relationship with a contractor other than the Clearinghouse. That institution will manage that vulnerability as a separate incident.
Who to Contact for More Information?
Affected students should first contact NSC directly through their support form at nscsso.my.site.com/student/s/contactsupport. Students can also contact their institution’s data privacy officer.