Cyber Incident Victim: Oberlin College

A significant number of organizations worldwide were affected by a vulnerability identified in Progress Software's MOVEit application. Hamilton College received confirmation from two of its service providers, National Student Clearinghouse (NSC) and the Teachers Insurance and Annuity Association (TIAA), that certain personally identifiable information of some members of the college community may have been impacted. The college itself does not have a local instance of the MOVEit application and is not responsible for this data incident. The responsibility for contacting individuals whose information was impacted falls directly upon either the National Student Clearinghouse or the Teachers Insurance and Annuity Association, as they are the entities that experienced the incident.

The Teachers Insurance and Annuity Association (TIAA), which provides retirement, investment, and insurance services, conducted an investigation into the matter. TIAA informed Hamilton College that its own systems and services were not impacted by this incident. The TIAA investigation confirms that retirement and financial information stored in TIAA systems and services remains secure and protected. The breach instead involved a third-party vendor that TIAA uses, Pension Benefit Information (PBI). PBI utilizes the MOVEit Transfer tool to perform services for TIAA, specifically for verifying death notices. It was through this vendor's use of the vulnerable MOVEit application that the potential compromise of data occurred, not through a direct breach of TIAA's infrastructure.

National Student Clearinghouse (NSC), which serves as a source for educational verification, research services, and compliance reporting, was the other service provider that notified Hamilton College of potential data impact. The article directs individuals to the NSC website for more information from the provider itself. The nature of the data held by NSC and subsequently potentially affected by the MOVEit vulnerability relates to its role in the higher education sector, handling information necessary for verification and reporting purposes.

The incident at large is rooted in a vulnerability within a specific software product, MOVEit, developed by Progress Software. This vulnerability was exploited on a global scale, impacting a wide array of organizations that used this application for secure file transfers. The exploit did not target Hamilton College directly but rather affected the college indirectly through its relationships with third-party service providers who themselves, or whose own vendors, were users of the compromised software. This chain of dependency highlights the extended risk landscape that institutions face, where the security of their community's data is also dependent on the cybersecurity practices of their partners and their partners' vendors.

Hamilton College's internal response was managed by its Information Security team, which actively monitored the situation. The team worked with the affected service providers to ensure these third-party providers took all required steps to protect impacted individuals. The college's Director of Information Security and Privacy, Jerry Tylutki, served as the point of contact for any questions or concerns from the community, directing inquiries to his email address. The communication from the college was factual, aiming to inform the community about the incident's origin and the parties responsible for direct notification and mitigation.

The article, dated July 11, 2023, and posted on the Hamilton College website, serves as the primary official communication from the institution regarding this event. It outlines the basic facts as they were known to the college at the time of writing. The notice clarifies the college's role, or lack thereof, as a direct cause of the incident, emphasizing that the breach occurred within the systems of its service providers or their vendors. The communication also provides general safety precautions that individuals can take, such as reviewing financial accounts, checking credit reports, considering credit freezes, and for students, considering identity theft protection services, though these are presented as standard advice rather than specific recommendations tied to confirmed fraudulent activity from this event.

The scope of the impact on Hamilton College community members is not quantified in the provided article. It states that "some members" of the community may have been impacted, but it does not provide specific numbers or detail which specific data elements were potentially exposed. The article defers to the service providers, NSC and TIAA, for direct communication with affected individuals. The incident demonstrates a common modern cybersecurity challenge where institutional data is managed by external entities, and a breach at one of those entities can have downstream effects on the primary institution and its constituents without any fault or failure in the primary institution's own security defenses.

The narrative surrounding this incident is one of a widespread software vulnerability causing collateral damage across numerous sectors. Hamilton College found itself involved not through a direct attack on its infrastructure but through the interconnected nature of digital services and vendor relationships. The college's response was focused on transparency, relaying information from its providers, and directing its community to the appropriate resources for more details and for any potential remedies offered by the responsible parties. The article stands as a record of the college's acknowledgment of the event and its effort to keep its community informed about a situation that, while outside its control, still potentially affected the people associated with the institution.