On Sept. 6, 2023, some Grand Valley State University students received an email from Associate Vice President and University Registrar, Pamela Wells, Ph.D., subject, “Important Information from the Registrar’s Office.” This email contained a warning about the possibility of their personal information being compromised by a third-party vendor.
“I’m writing to inform you that some personal information about you may have been compromised while in the possession of a third-party vendor,” Wells said in the email.
The vendor in question is the National Student Clearinghouse, (NSC). According to the NSC website, the purpose of the NSC is to relieve “the administrative burdens and costs related to student data reporting and exchange.” NSC uses a program called MOVEit, a popular file transfer program, as its primary program.
According to a JDSupra article, MOVEit’s parent company Progress Software noticed a breach in the servers that had not been patched.
“On May 31, 2023, Progress Software announced a zero-day vulnerability within MOVEit that allowed hackers to access information stored on various organizations’ MOVEit servers, including NSC’s,” Console and Associates wrote in the article.
An alert on NSC’s website claims that once the breach had been noticed, they launched an investigation into it and have since patched the holes.
“We have applied all three of the security patches issued by Progress Software. Our systems and software are continuously monitored, and we have patching processes in place to keep them updated,” the NSC team said in the alert.
According to a press release from the Cybersecurity & Infrastructure Security Agency, they have begun a joint investigation with the FBI’s cybersecurity division.
“CISA continues to work diligently to notify vulnerable organizations, urge swift remediation and offer technical support where applicable,” CISA Executive Director for Cybersecurity Eric Goldstein said.
Other schools, such as Michigan State University, have also experienced information being compromised due to this breach. The email sent out by Wells said that GVSU mainly uses NSC for information reporting of financial aid, but that is not its only purpose.
“A majority of U.S. colleges and universities, including GVSU, communicate information about your enrollment to the U.S. Department of Education through the National Student Clearinghouse (NSC) for required reporting in support of financial aid and other programs,” Wells said.
Both GVSU and NSC have assured that no sensitive information, such as social security numbers and date of birth, was breached. However, the information that was exposed included names and permanent addresses.
Wells said GVSU made sure NSC had fixed the breaches and reviewed the safety steps had been taken before the university decided to continue to use them.
“NSC has implemented extra steps to allow schools to securely transfer data to the NSC,” Wells said. “These steps were vetted by GVSU’s Cybersecurity staff and implemented before GVSU sent any new data to the NSC.”
Cyber attacks have the ability to pose major threats, ranging from stealing account information to identity theft to company-wide information being stolen. Many people’s records in various areas of their lives are available to find online among many colleges and universities that have their information stored online as seen in this NSC breach.
Cyber attacks are common and according to Yuan Cheng, an Associate Professor in the School of Computing, difficult to prevent. Cheng said there are options to do your best to ensure cyber safety.
“Keeping all software up-to-date and staying tuned for the latest security patches is helpful, as outdated programs with known vulnerabilities are usually prime targets,” Cheng said. “Regularly backing up data and systems can enable recovery and ensure our daily operations continue without disruptions, such as denial-of-service and ransomware attacks.”
On an individual level, there are more precautions that can be taken. Cheng recommends four specific things, among the many options for online protection: use strong and unique passwords, be cautious of phishing attempts and social engineering attacks, back up important data regularly and keep an eye on your accounts and credit report for suspicious activity.
“It’s important for our students to take precautions to safeguard their information in the event of a cyber attack,” Cheng said.
Both Wells and Cheng highly recommend that everyone frequently check their credit report in case of personal security breaches to catch the breach as early as possible.
“The risk from this particular exposure is thought to be small. However, everyone, students or otherwise, should be in the habit of checking their credit score on a regular basis,” Wells said.