Cyber Incident Victim: University of Illinois System
Date:
May 2023
Location:
United States of America
Summary
A University of Illinois System data breach occurred when the National Student Clearinghouse, a third-party service provider, was compromised as part of a global cyberattack exploiting a vulnerability in the MOVEit file-transfer software. The incident exposed personal information belonging to an unspecified number of past and present students. The university system was notified of the breach and informed the affected individuals, though no evidence of fraudulent use of the compromised data was initially found.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The University of Illinois System learned in early June that the personal information of some of its past and present students was exposed in a global cyberattack that occurred on May 31. The breach did not originate within the university's own systems but was instead part of a wider incident impacting the National Student Clearinghouse, a nonprofit nongovernmental organization that provides reporting, data exchange, verification, and research services for higher education institutions. The University of Illinois System is one of the many institutions that utilizes the National Student Clearinghouse's services to manage and exchange student data.
The incident was caused by a vulnerability discovered in MOVEit, a software product used for transferring data files. The National Student Clearinghouse, along with other users of the software, shut down access to the vulnerable system upon discovery of the flaw and applied additional security measures to contain the threat. The exploitation of this vulnerability by attackers led to the unauthorized access of files stored within the MOVEit application used by the Clearinghouse.
The National Student Clearinghouse notified its many higher education clients, including the University of Illinois System, of the breach in early June. This initial notification informed the university system that the Clearinghouse had been impacted and that an investigation was underway. Specific details regarding the scope of the breach were not immediately available. On June 26, the University of Illinois System received a subsequent notification from the National Student Clearinghouse confirming that some University of Illinois System students were within the scope of the breach. This notification, however, did not provide information on which specific students were affected or what precise data types were compromised, as the Clearinghouse's investigation was reported to be ongoing at that time.
The exact number of University of Illinois students whose information was compromised remained unknown. The incident also impacted a significant number of individuals outside the university; the same global May 31 attack on the MOVEit file-transfer system affected approximately 390,000 employees of the state of Illinois, illustrating the widespread nature of the campaign.
On July 3, the University of Illinois System began its official communication regarding the incident by sending emails to students, faculty, and staff. The message was jointly authored by Joe Barnes, the chief digital risk officer at the University of Illinois System, and Nicholas P. Jones, the executive vice president and vice president of academic affairs. The email informed the community of the breach at the third-party service provider and the potential exposure of student data. The university officials stated that there was no indication at that time that any of the compromised information had been used fraudulently.
The university's communication noted that the National Student Clearinghouse would be responsible for sending direct notice to the individuals whose data was ultimately confirmed to have been accessed. The University of Illinois System stated it would advocate for that direct notification to occur as soon as possible. The system also committed to continuing to monitor the matter and to provide additional updates to those affected as more information became available from the ongoing investigation. The email acknowledged that such situations could be stressful for the individuals involved.
According to information from the National Student Clearinghouse reported by the university, there was no evidence that the affected files included the enrollment and degree files that organizations routinely submit to the Clearinghouse to meet reporting requirements and for verification purposes. This suggested that the breach may have involved other categories of data held by the service provider, though the specific nature of the exposed student information was not detailed in the available communications.
The university's response included guidance for managing the risk of identity theft, directing individuals to their right to obtain a free annual credit report from each of the major credit reporting companies: Experian, Equifax, and TransUnion. The communication also provided contact information for the Federal Trade Commission, including a phone number and web addresses for its main site and its identity theft resources, as a recommended point of contact for those seeking further information or assistance. The University of Illinois System's actions were focused on informing its community, relying on the third-party vendor to complete its investigation, and providing resources for potential victims rather than on conducting its own forensic examination, as the breach occurred within a vendor's infrastructure.