Cyber Incident Victim: Lewis-Clark State College

A worldwide data breach involving the MOVEit Transfer software, a file transfer tool used by third-party vendors, was identified as impacting Idaho higher education institutions on or around May 31, 2023. The incident did not compromise systems managed directly by the Idaho State Board of Education (OSBE) or the state's public higher education institutions. Instead, the breach originated from a vulnerability within the MOVEit Transfer software, which served as a third-party vendor for the National Student Clearinghouse (NSC) and the Teachers Insurance Annuity Association of America (TIAA). A data hacker exploited this vulnerability to access and download personally identifiable information held by these entities.

The National Student Clearinghouse and TIAA notified seven of Idaho's public higher education institutions that they were affected due to their association with these third-party services. The impacted institutions included North Idaho College, Lewis-Clark State College, the University of Idaho, the College of Western Idaho, Boise State University, the College of Southern Idaho, and Idaho State University. These institutions were contacted by the NSC and informed that personally identifiable information pertaining to some of their students had been compromised as a direct result of the MOVEit data breach. The breach was not isolated to Idaho, affecting higher education institutions and businesses throughout the country.

According to the notifications, the compromised data consisted of personally identifiable information about students that was maintained by the National Student Clearinghouse. The specific details of the data elements accessed were not publicly disclosed in the available information. The Teachers Insurance Annuity Association of America also utilized the MOVEit Transfer software, but the company stated that the vulnerability did not affect its internal systems and that no information was obtained from TIAA as a result of the incident. The primary vector of the attack was the exploitation of a vulnerability in the MOVEit file transfer tool, which allowed the threat actor to gain unauthorized access to data stored by its users.

In response to the breach, the National Student Clearinghouse believed its systems had been secured against further intrusion following the discovery and mitigation of the vulnerability. The NSC established a dedicated website, alert.studentclearinghouse.org, to provide information about its response to the incident and to serve as a resource for affected individuals. Students were encouraged to monitor this website regularly for further updates and information directly from the Clearinghouse. TIAA, for its part, stated that any individuals affected through its services would receive a notification letter by mail. This letter would offer free credit monitoring services for a period of two years as a protective measure.

The Idaho State Board of Education and the state's public higher education institutions issued a news release to inform the public of the situation. They confirmed they were monitoring the developments and would support the efforts of the NSC and TIAA regarding the notification process for impacted students as more information became available. The release emphasized that there was no immediate action required from students or institution employees to secure their institution accounts or data, as the breach was contained to the third-party vendors and did not involve any direct institutional systems. The organizations encouraged students and employees to take general steps to protect themselves from potential identity theft and directed them to resources provided by the Federal Trade Commission at identitytheft.gov/databreach. The incident highlights the risks associated with third-party vendor relationships and supply chain attacks in the cybersecurity landscape.