Cyber Incident Victim: National Student Clearinghouse
Date:
May 2023
Location:
United States of America
Summary
The National Student Clearinghouse was impacted by a global cybersecurity incident stemming from a vulnerability in the third-party MOVEit Transfer software. An unauthorized party exploited this vulnerability to obtain certain files from the organization's MOVEit environment, which contained data maintained on behalf of customers and potentially included information on current or former students. The organization promptly applied security patches, notified affected customers, and rebuilt its entire MOVEit environment while coordinating with law enforcement and cybersecurity experts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 31, 2023, the National Student Clearinghouse became aware of and began investigating a cybersecurity issue stemming from a vulnerability in a third-party software tool, MOVEit Transfer, developed by Progress Software. This vulnerability was a global issue potentially affecting thousands of organizations worldwide that utilized the MOVEit tool for secure file transfers. The incident did not originate from a specific targeted attack against the Clearinghouse, its customers, or its data providers; rather, the organization was one of many entities impacted by the exploitation of this widespread software flaw. The unauthorized party responsible for the intrusion exploited this vulnerability to gain access to the Clearinghouse’s MOVEit environment.
Upon discovery of the vulnerability, the Clearinghouse promptly initiated an investigation and took immediate steps to secure its compromised MOVEit environment. These initial actions included applying the relevant security patches issued by Progress Software, following the vendor's instructions. The organization also reported the incident to law enforcement agencies, including the Federal Bureau of Investigation (FBI), and began coordinating with them. Concurrently, the Clearinghouse engaged a leading global cybersecurity firm to assist in the forensic investigation and impact assessment. The investigation was conducted with the assistance of these external experts to determine the scope and severity of the breach.
The ongoing investigation determined that the unauthorized party successfully obtained certain files that were transferred through the Clearinghouse’s MOVEit environment. These files contained data maintained by the Clearinghouse on behalf of some of its customers. The affected data potentially included information from the student record database pertaining to current or former students. Importantly, the investigation found no evidence that the standard enrollment and degree files submitted by organizations for reporting requirements and verification purposes were affected. Furthermore, there was no evidence that the threat actor was able to move laterally from the MOVEit environment into other systems on the Clearinghouse network where data is stored or transmitted. The security of the file exchange between the Clearinghouse and the National Student Loan Data System (NSLDS) was not compromised, and no files being transmitted to or from NSLDS were accessed in connection with this incident.
In response to the breach, the Clearinghouse implemented significant containment and remediation measures. Believing the initial issue to be contained through the application of patches, the organization undertook a more extensive effort to further strengthen security. This involved completely rebuilding the entire MOVEit environment from the ground up. The new environment was constructed using fresh installations of the latest operating systems and a clean copy of the most recent version of the MOVEit Transfer application. This created a pristine system that had never been accessed by the unauthorized third party. This new environment was launched the week following the incident, and customers were communicated with regarding the necessary steps for transition. Additional monitoring measures were also implemented to detect any further suspicious activity associated with the vulnerability.
The impact of the incident was confined specifically to the MOVEit Transfer system. The Clearinghouse confirmed it had no evidence that any other systems on its network were accessed or compromised. All Clearinghouse services remained fully operational throughout the incident and subsequent response. The primary consequence was the unauthorized access and acquisition of files containing personal information of individuals from the student record database. The organization initiated a detailed review of the affected files with the assistance of a third-party provider to identify precisely which individuals' personal information was involved.
Notification and communication were key components of the response. The Clearinghouse notified the specific organizations whose data was identified as being affected by the issue. These notifications were sent via email to the affected customer organizations. The organization also maintained a public-facing webpage to provide updates on the situation. The Clearinghouse stated its priority was to provide dependable services and that it had followed, and would continue to follow, recommended guidelines from authorities like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other cybersecurity experts to protect the security of customer data and its systems. The patching process was confirmed to be complete, with all three security patches from Progress Software applied, and the organization emphasized its continuous monitoring and established patching processes to keep systems updated. The forensic investigation with the third-party cybersecurity firm continued to fully understand the complete scope of the data impacted.