Cyber Incident Victim: Grinnell College
Date:
May 2023
Location:
United States of America
Summary
Hamilton College was impacted by a third-party data breach involving the MOVEit file transfer vulnerability, affecting service providers National Student Clearinghouse and TIAA. While TIAA's systems were not compromised, their vendor Pension Benefit Information, which utilizes MOVEit, experienced unauthorized access leading to potential exposure of personally identifiable information. The college itself did not host the vulnerable application but relied on these external entities for services related to educational verification and retirement benefits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A vulnerability in Progress Software's MOVEit file transfer application, identified in late May 2023, impacted numerous organizations globally, including third-party service providers used by Hamilton College. The college confirmed in July 2023 that National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association (TIAA) had notified them about potential exposure of personally identifiable information belonging to some community members. Hamilton College clarified it did not operate any local MOVEit instances and bore no direct responsibility for the breach. TIAA specifically stated its core retirement and financial systems remained uncompromised, attributing the incident to Pension Benefit Information (PBI), a vendor it employs for death notice verification services that utilized the vulnerable MOVEit Transfer tool. NSC, which handles educational verification and compliance reporting for the college, also confirmed data exposure through its systems. The breach originated from unauthorized access to the third-party file transfer platform rather than direct infiltration of Hamilton's infrastructure or the primary systems of TIAA and NSC.
Hamilton College's Information Security team initiated active monitoring of the situation upon notification and coordinated with both service providers to ensure implementation of protective measures for affected individuals. TIAA and NSC assumed responsibility for directly contacting impacted parties with specific details, though neither organization disclosed the exact number or categories of compromised records from Hamilton's community. The college disseminated general safety precautions, advising individuals to review financial accounts regularly, monitor credit reports via annualcreditreport.com, consider credit freezes with major bureaus, and explore identity theft protection services like TransUnion's TrueIdentity for students. No evidence suggested misuse of exposed data as of the July 11 notification date. Hamilton maintained communication channels through its Director of Information Security and Privacy while emphasizing that ongoing response efforts remained under the purview of the third-party vendors involved in the MOVEit-related compromise.