Cyber Incident Victim: Worcester State University

On or around May 31, 2023, Worcester State University was formally notified by the National Student Clearinghouse (NSC) of a data security incident. The breach occurred within the systems of the NSC, a non-profit organization that provides educational reporting and data services for over 3,600 colleges and universities. The incident did not originate from or impact any internal Worcester State University data systems. The university confirmed its own systems for student, alumni, and employee records remained secure and were not compromised. The breach was attributed to a security vulnerability in the MOVEit Transfer tool, a file transfer software product developed by Progress Software. According to the information provided by NSC, an unauthorized third party discovered and exploited this vulnerability, which could allow for unauthorized access to files being transferred using the tool.

The National Student Clearinghouse utilizes the MOVEit software to facilitate the transfer of files containing data it maintains on behalf of its client institutions. NSC’s investigation determined that this unauthorized party obtained certain files that had been transferred through the Clearinghouse’s MOVEit environment. These files included data maintained for some of its customers, specifically Worcester State University student data files. NSC indicated there was no evidence to suggest the unauthorized party had specifically targeted the Clearinghouse or Worcester State University. This incident was part of a broader global cybersecurity event affecting thousands of organizations that utilized the MOVEit Transfer software, including corporations and government agencies.

Upon learning of the vulnerability from the software provider, the National Student Clearinghouse launched an immediate investigation into the incident. NSC also took steps to secure its systems to prevent further unauthorized access. The scope of the breach, from Worcester State’s perspective, was entirely contained within the third-party NSC systems. The university itself does not use the MOVEit software, so its internal infrastructure was not a vector for the attack. The primary impact was the potential exposure of personal student data that Worcester State had provided to the NSC as part of its normal reporting and data services operations.

At the time of the university's public announcement on May 31, 2023, the specific details regarding the compromised data were unknown. The National Student Clearinghouse had not yet provided Worcester State with any further details or specific information about the exact nature of the student data affected. The university acknowledged that, like the vast majority of public and private colleges and universities across the country, it provides student data to the NSC. The potential involvement of alumni records was also uncertain; while the university's internal alumni data systems were confirmed secure, it was possible that files containing data on students who had since graduated could have been among those transferred to and compromised at the NSC.

In response to the incident, Worcester State University leadership initiated a coordinated effort. The Executive Cabinet, legal counsel, and IT security staff worked together to manage the university's response. The primary point of contact for the incident was the Office of the Registrar, which fielded questions from concerned individuals. The university also proactively notified several state and federal agencies of the data breach as a precautionary measure. These agencies included the Massachusetts Attorney General’s Office, the Massachusetts Comptroller’s Office, the Massachusetts Secretary of State Office, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), the Massachusetts Executive Office of Technology Services and Security (EOTSS), the Massachusetts Department of Higher Education (DHE), and the U.S. Department of Education (USDOE).

The National Student Clearinghouse informed Worcester State on July 12, 2023, that it was working with a third-party vendor to conduct a comprehensive review of the affected files. The purpose of this review was to identify all individuals whose personal information appeared in the compromised files. NSC estimated this review process would be completed within the following few weeks. Upon completion, the Clearinghouse committed to providing its customers, including Worcester State University, with more detailed information on the specific individuals affected. Worcester State University pledged to work with NSC to ensure that any impacted individuals would be promptly notified once their identities were confirmed.

The consequences of the incident were solely related to the potential exposure of personal data held by a third-party service provider. There were no operational disruptions to Worcester State University's academic or administrative functions, as its own systems were unaffected. The university's response focused on communication and coordination with the NSC to ascertain the full scope of the impact on its student population. The overarching narrative is one of a university responding to a security failure in a vendor's system that was entirely outside of its direct control, emphasizing the security of its own infrastructure while awaiting further details from the involved third party.