Cyber Incident Victim: Hamilton College
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident impacted Hamilton College through third-party service providers National Student Clearinghouse (NSC) and TIAA, stemming from a vulnerability in Progress Software's MOVEit application. While the institution did not use MOVEit directly, personally identifiable information of some community members may have been exposed via NSC's educational verification services and TIAA's vendor Pension Benefit Information (PBI), which utilized the compromised file-transfer tool. TIAA confirmed its internal systems remained secure, attributing potential data exposure to PBI's MOVEit implementation. The college's information security team coordinated with both providers to address impacts, advising affected individuals to await direct communication from NSC or TIAA regarding compromised data specifics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A vulnerability in Progress Software's MOVEit file transfer application, identified in late May 2023, impacted numerous organizations globally, including third-party service providers used by Hamilton College. On July 11, 2023, Hamilton College publicly confirmed that two of its vendors—National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association (TIAA)—had notified the institution about potential exposure of personally identifiable information belonging to some community members due to this vulnerability. Hamilton College clarified it did not operate its own MOVEit instance and was not directly responsible for the breach. TIAA specified that while its internal systems remained uncompromised, the incident affected Pension Benefit Information (PBI), a vendor TIAA employs for death notice verification services that utilized the MOVEit Transfer tool. NSC, which handles educational verification and compliance reporting for Hamilton, also confirmed potential data exposure through its own notification.
Hamilton College’s Information Security team initiated monitoring of the situation and coordinated with both service providers to ensure compliance with protective measures for affected individuals. TIAA assured Hamilton that retirement and financial data within its direct systems remained secure, attributing the breach solely to PBI’s MOVEit usage. NSC published additional incident details on its website but did not disclose specific data elements compromised. The college directed impacted individuals to await direct communication from NSC or TIAA regarding their personal data status. As a precaution, Hamilton’s notice referenced general security practices such as reviewing financial accounts, monitoring credit reports via annualcreditreport.com, considering credit freezes, and—for students—evaluating identity protection services like TransUnion’s TrueIdentity. The Director of Information Security and Privacy provided contact information for community inquiries but did not disclose the number of affected individuals or detailed timelines of vendor notifications.