Cyber Incident Victim: National Math and Science Initiative

On or about October 13, 2021, the National Math and Science Initiative (NMSI), a Texas-based non-profit organization focused on improving U.S. student performance in STEM subjects, detected a potential security incident when its antivirus software triggered an alert. This prompted an investigation that revealed unauthorized access to certain systems had occurred between September 23, 2021, and October 18, 2021. During this 26-day period, an external actor potentially gained access to sensitive personal information stored within NMSI's infrastructure. The compromised data included individuals' full names, physical addresses, and Social Security numbers – critical identifiers that could facilitate identity theft or financial fraud. While the organization found no evidence suggesting actual misuse of the exposed information, the breach created significant privacy risks for those affected due to the sensitive nature of the compromised data elements.

NMSI initiated notification procedures to inform 191,255 potentially impacted individuals about the security incident, though their communications did not specify whether affected parties were exclusively students, teachers, employees, contractors, or a combination of these groups. The organization provided varying levels of detail in its breach notifications across different jurisdictions, with Maine recipients receiving more comprehensive information compared to those in Massachusetts and Vermont. This discrepancy suggests potential differences in state notification requirements or NMSI's disclosure strategy. The incident timeline indicates a three-week window between initial system compromise and detection, followed by five days of continued unauthorized access before containment was achieved on October 18. No additional technical details regarding the attack vector, system types affected, or specific containment measures were disclosed in the available notifications.