Cyber Incident Victim: Drake University

Drake University was notified by two of its third-party service providers, National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association (TIAA), of a cybersecurity incident on or around May 31, 2023. The initial alert was publicly posted by the university on June 10, 2023. The incident was related to a widespread vulnerability in the MOVEit Transfer tool, a third-party file transfer software, which affected millions of individuals and organizations across the country. The university emphasized that its own internal systems were not impacted by this breach; the incident was entirely contained within the systems of its service providers and their vendors. Upon being notified of the breach, Drake University took immediate action to verify the security of its own systems.

The National Student Clearinghouse (NSC) used the MOVEit Transfer software to support the transfer of data files. The breach at NSC potentially exposed the personal data of current and former Drake University students. The specific data elements suspected to be affected included names, dates of birth, and academic transcripts. TIAA reported that no information was obtained directly from its own systems. However, the breach occurred at one of its vendors, Pension Benefit Information, LLC (PBI), which also utilized the MOVEit Transfer tool. This exposure through a third party potentially compromised the personally identifiable information of Drake University employees.

The scope and extent of the data breach were under investigation by the university, which worked diligently with its cybersecurity team as well as with NSC and TIAA to determine the full impact and coordinate a response. The university committed to providing updates on its newsroom page, in the OnCampus newsletter, and via email to faculty, staff, and students as more information became available. The initial communication urged all campus community members to take protective steps, including monitoring their credit scores and online accounts, using multifactor authentication, being vigilant against phishing attempts, and considering a temporary credit freeze.

An update was provided on July 25, 2023. TIAA had formally notified the university that the personal identifiable information of approximately 650 current and former Drake employees may have been exposed through the MOVEit Transfer data breach at its vendor, Pension Benefit Information, LLC. The affected individuals were to receive a notification letter directly from PBI via postal mail. The vendor also offered free credit monitoring for two years to each of the individuals impacted. Concurrently, NSC informed Drake that the personal data of current and former students may have been breached. Impacted students and alumni were to be notified via postal mail, and recipients were advised to read any notices they received carefully.

A further update was issued on August 21, 2023, providing more precise figures on the impact. According to the National Student Clearinghouse, fewer than five current or former Drake University students were definitively identified as having their personal data compromised as a direct result of the MOVEit Transfer data breach. Importantly, there was no evidence that the data compromised in the NSC portion of the incident included social security numbers. The National Student Clearinghouse assumed responsibility for notifying these affected individuals and for providing them with credit monitoring services. Information about these services was to be provided by Kroll, a risk and financial advisory solutions company working on behalf of NSC. The incident involving the university's data was a subset of a much larger global cyber incident exploiting the MOVEit vulnerability.