Cyber Incident Victim: Washington State University
Date:
Jun 2023
Location:
United States of America
Summary
Washington State University was indirectly impacted by a global cybersecurity incident involving the MOVEit Transfer file-sharing application, which was used by several of its third-party service providers. The personal information of some current and prospective students and employees was exposed through breaches at the National Student Clearinghouse, UnitedHealthcare, and a vendor for TIAA. The university itself did not use the vulnerable software, but data it had shared with these providers for verification, insurance, and financial services was compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A cybersecurity incident involving the MOVEit Transfer file-sharing application impacted numerous organizations globally, including third-party service providers associated with Washington State University. Although WSU itself did not use the MOVEit software, the university received notifications from several of its vendors that personally identifiable information belonging to some current and prospective students and employees may have been exposed due to the breach. The incident came to light through national news media reports, and WSU was informed by its partners that their systems had been compromised.
The third-party service providers who notified WSU of their involvement in the incident were the National Student Clearinghouse (NSC), the Teachers Insurance and Annuity Association (TIAA), and UnitedHealthcare. The National Student Clearinghouse is a nonprofit organization that provides educational reporting, data exchange, and verification services to over 3,600 colleges and universities, including WSU. The university works with the clearinghouse for purposes such as enrollment verification, degree verification, and fulfilling student loan reporting requirements. The data provided by WSU to the NSC included personally identifiable information and education records. The NSC publicly posted details about the incident on its own website.
The Teachers Insurance and Annuity Association (TIAA) is a financial organization offering investment and insurance services to employees in various fields, including academia. WSU provides TIAA with names, addresses, dates of birth, and Social Security numbers for employees who choose to participate in its services. While the data transferred directly from WSU to TIAA was not compromised, TIAA indicated that an outside vendor it shares information with, Pension Benefit Information, LLC, had been impacted by the MOVEit Transfer cyberattack.
UnitedHealthcare, which makes health insurance plans available to college students, notified Washington State University that personally identifiable information and claims information for some of its WSU student customers was accessed during the MOVEit Transfer cyberattack in June. To assist its policyholders, UnitedHealthcare established a dedicated, toll-free telephone number for individuals to call for additional information regarding the breach.
In response to the notifications from its service providers, Washington State University published an official statement on its website to inform the community. The university expected that the National Student Clearinghouse, UnitedHealthcare, and Pension Benefit Information, LLC would directly contact individuals impacted by the breach with additional details where required by law. WSU committed to updating its webpage as new information became available from these service providers.
The incident did not involve a direct breach of Washington State University's own systems or infrastructure. The compromise occurred solely within the systems of its third-party vendors who were using the vulnerable MOVEit Transfer application. The scope of the incident for WSU was therefore confined to the data those specific vendors held on the university's behalf. The nature of the data exposed varied by vendor but included types of personally identifiable information such as names, addresses, dates of birth, Social Security numbers, education records, and health insurance claims information.
The university's public communication provided information from the Federal Trade Commission on steps individuals could take if they believed their personal information had been compromised. These recommended actions included closely monitoring credit reports, obtaining free copies of credit reports from the three major agencies, placing a fraud alert on accounts, freezing credit, filing a police report in cases of identity theft, and blocking electronic access to Social Security information through the Social Security Administration.
Washington State University's role following the incident was primarily one of communication and coordination. As the data breach occurred within external systems, the university did not undertake containment or eradication actions itself. Instead, it relied on its third-party providers to manage the direct response to the compromise of their own systems. WSU’s ongoing action was to monitor the situation and relay any new information received from the National Student Clearinghouse, TIAA, and UnitedHealthcare to its affected community members.