Cyber Incident Victim: University of Alaska

In May 2023, the University of Alaska (UA) system, comprising the University of Alaska Anchorage (UAA), the University of Alaska Fairbanks (UAF), and the University of Alaska Southeast (UAS), was notified of a potential data breach impacting its community. This incident was part of a large-scale, global cybersecurity event and did not involve a direct compromise of any University of Alaska-owned or operated IT systems. Instead, the breach originated from a vulnerability within a widely-used third-party file transfer tool known as MOVEit, which is developed by Progress Software. The initial exploitation of this vulnerability occurred in early May 2023 by a ransomware gang believed to be based in Russia. This group successfully exploited a security flaw in the MOVEit application to gain unauthorized access to the systems of numerous organizations worldwide that utilized the software for transferring large files over the internet.

The primary impact on the University of Alaska stemmed from the compromise of its third-party service providers. Specifically, UA was advised that the National Student Clearinghouse (NSC) was impacted by this breach. The NSC is a central organization that serves as a single point of contact for the secure collection and exchange of student enrollment, degree, and certificate records for approximately 99% of all colleges and universities in the United States. The University of Alaska system shares student data with the NSC as part of its standard operations. At the time of the university's public notification on May 31, 2023, the National Student Clearinghouse itself had not yet fully determined the precise scope and nature of how the MOVEit breach had impacted its own systems and the data it held. This lack of complete information from the vendor meant the full extent of potential data exposure for UA students was not immediately known.

The global scale of the MOVEit breach was significant, affecting a vast array of organizations across the public and private sectors. Impacted entities included U.S. federal agencies such as the Department of Health and Human Services (HHS), major private corporations like Ernst and Young, and prominent overseas organizations including British Airways and the British Broadcasting Corporation (BBC). By early July 2023, cybersecurity researchers estimated that the personal information of more than 17.5 million individuals worldwide had been affected by the incident. The vendor, Progress Software, responded to the discovered vulnerability by releasing multiple patches for the MOVEit software in an attempt to secure it against further exploitation. However, due to the widespread use of the tool and the speed of the initial attack, it remained unclear how many organizations had been successfully compromised before applying these mitigations.

The potential consequences for individuals associated with the University of Alaska were related to the type of data processed by the affected third-party vendors, notably the National Student Clearinghouse. While the exact data elements were not specified by UA, the NSC typically handles comprehensive educational records. This raised the possibility that student information such as names, enrollment history, and degree or certificate attainment details could have been accessed by the threat actors. The primary risk to individuals was the potential for identity theft or financial fraud if the exposed data was misused. The university anticipated that due to the massive scale of the breach, some of its current and former students and employees would receive formal data breach notification letters in the mail from the impacted vendors.

The University of Alaska's response was primarily focused on communication and guidance for its community. On May 31, 2023, the UA system issued a public announcement through its news center to proactively inform students and employees about the potential risk originating from the third-party breach. This communication served to make individuals aware of the situation and to prepare them for the possibility of receiving a notification letter. The university advised its community members to carefully read any such notification to verify its legitimacy and to understand what specific data was potentially compromised. Guidance emphasized that legitimate notifications are typically sent via postal mail and addressed directly to the impacted person. Individuals were instructed to contact a company's customer service number directly if they were unsure about the authenticity of a received letter.

The university's announcement also outlined specific protective steps that individuals could take based on the general best practices for such scenarios. It highlighted the importance of utilizing any credit monitoring services that might be offered by the breached vendor, often provided at no cost to affected individuals. Initiating a credit freeze with the three major credit bureaus was strongly recommended as a proactive measure to prevent unauthorized accounts from being opened. Furthermore, the university advised individuals to consider updating important passwords and enabling multi-factor authentication (MFA) on their online accounts where available. These actions were presented as reasonable precautions to enhance personal digital security in the wake of the widespread data exposure. The overarching message from the University of Alaska was that in the modern digital landscape, developing good cybersecurity habits is essential for protecting personal information, as large-scale hacks and ransomware attacks are becoming increasingly common. The incident underscored the extended risks that organizations and their constituents face through dependencies on third-party vendors and widely-used software tools.