MOVEit Security Issue Update
The National Student Clearinghouse is investigating a recent cybersecurity issue involving a vulnerability in one of our third-party software tools, MOVEit Transfer, which affected potentially thousands of other organizations worldwide that use the tool to transfer files. While we continue to investigate this issue, all Clearinghouse services are fully operational.
The Clearinghouse has been working with leading cybersecurity experts to assess the impact of the MOVEit vulnerability on the Clearinghouse and our systems. We also are coordinating with law enforcement. Based on our ongoing investigation, we have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that we maintain on behalf of some of our customers. We have notified the organizations whose data we have identified as affected by this issue. We have no evidence to suggest that the unauthorized party specifically targeted the Clearinghouse, our customers, or other organizations that provide data to the Clearinghouse.
The Clearinghouse promptly took measures to protect customer data and our systems by applying the relevant security patches and diligently following guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). As a precautionary measure, we rebuilt the Clearinghouse’s entire MOVEit environment, using new installations of the latest operating systems as well as installing a clean copy of the latest version of the MOVEit Transfer application.
1. What files and data were affected?
The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students. We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.
We also have no evidence that the unauthorized party was able to move to other environments where data is stored or transmitted at the Clearinghouse, including the student record database. In addition, we have no evidence that the security of the file exchange between the Clearinghouse and NSLDS was compromised, or that any files being transmitted to or from NSLDS were accessed in connection with this issue.
We have initiated a review of the affected files with the assistance of a third-party provider and will follow up with additional information regarding the impact to affected organizations, including a list of individuals whose personal information is identified in the relevant files.
2. What happened?
Progress Software recently announced a vulnerability related to its MOVEit Transfer product, potentially affecting thousands of organizations worldwide. According to Progress Software, an unauthorized party discovered the vulnerability in the MOVEit Transfer software, which could allow unauthorized access to files being transferred using the tool.
Based on our ongoing investigation, we have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that we maintain on behalf of some of our customers. We have notified the organizations whose data we have identified as affected by this issue. We have no evidence to suggest that the unauthorized party specifically targeted the Clearinghouse, our customers, or other organizations that provide data to the Clearinghouse.
3. What did the Clearinghouse do when it discovered the issue?
Upon learning of the vulnerability, we promptly launched an investigation and took steps to secure our MOVEit environment, including implementing patches to MOVEit software pursuant to Progress Software’s instructions.
We reported the issue to law enforcement and have been working with leading cybersecurity experts to understand the issue’s impact on our organization and our systems.
4. Have you engaged a third-party forensic firm to conduct an investigation?
Yes. We have been working with a leading global cybersecurity firm to investigate the issue.
5. What systems were affected by the issue?
The issue affected our MOVEit Transfer system. We have no evidence that the unauthorized party gained access to other systems on our network in connection with the issue.
6. Have you notified law enforcement?
Yes. We are coordinating with law enforcement.
7. Is the issue contained, so my organization can send data to the Clearinghouse?
We believe the issue is contained based on the significant measures we have taken to further strengthen the security of our systems and our customers’ data, including applying the relevant patches issued by Progress Software and implementing recommendations issued by the FBI, CISA, Mandiant, Microsoft, and others.
Additionally, we have rebuilt the Clearinghouse’s entire MOVEit environment so that all of our customers’ data is entering into a newly built, pristine environment that was never accessed by the unauthorized third party. This new environment launched last week, and we sent a communication on steps for customers to take in connection with the transition. We also have implemented additional monitoring measures to help us identify any further activity associated with this issue.
It is our priority to provide dependable services on which our customers can rely. We have followed, and will continue to follow, recommended guidelines to protect the security of our customers’ data and our systems.
8. Have you patched your systems?
Yes. We have applied all three of the security patches issued by Progress Software. Our systems and software are continuously monitored, and we have patching processes in place to keep them updated.
9. As a Clearinghouse customer, how do I know if any of my organization’s data has been impacted?
Notification letters were sent via email to organizations whose data we have identified as affected by the issue.