Cyber Incident Victim: National Student Clearinghouse

On or around June 15, 2023, the ransomware gang known as Clop began listing the first victims it had successfully hacked by exploiting a critical security vulnerability in the MOVEit Transfer file transfer tool. This tool, developed by Progress Software, is widely used by corporations and enterprises to share large files over the internet. The Clop gang, which has known links to Russia, had been actively exploiting this vulnerability since late May. The exploitation occurred prior to Progress Software issuing a patch for the security flaw, leading to the compromise of a number of its customers. The gang publicly named its victims by posting a list on its dark web leak site. Among the organizations listed was the National Student Clearinghouse, an educational non-profit. Other named victims included U.S.-based financial services organizations 1st Source and First National Bankers Bank, Boston-based investment management firm Putnam Investments, the Netherlands-based Landal Greenparks, the U.K.-based energy giant Shell, financial software provider Datasite, student health insurance provider United Healthcare Student Resources, American manufacturer Leggett & Platt, Swiss insurance company ÖKK, and the University System of Georgia.

The gang employed an unusual tactic by not directly contacting the organizations it had hacked to demand a ransom payment. Instead, a blackmail message was posted on its dark web leak site instructing victims to contact the gang prior to a June 14 deadline. At the time the victim list was published, no stolen data from any organization had been publicly released. However, in its message, Clop claimed to have downloaded "alot [sic] of your data." The full number of organizations impacted by the mass exploitation of the MOVEit vulnerability remained unknown at this time. The incident was part of a broader pattern of mass-attacks conducted by the Clop gang, which had previously exploited flaws in other file transfer tools, including Fortra’s GoAnywhere and Accellion’s file transfer application.

The incident involving the National Student Clearinghouse was part of a larger wave of compromises affecting numerous sectors. Prior to the public listing of victims on June 15, several other organizations had already disclosed they were compromised as a result of the attacks on the MOVEit software. These included the BBC, Aer Lingus, and British Airways. These organizations were affected because they relied on a common third-party supplier, the HR and payroll software company Zellis, which confirmed that its own MOVEit system had been compromised. The Government of Nova Scotia, which used MOVEit to share files across its departments, also confirmed it was affected and stated that some citizens’ personal information may have been compromised. In a message on its leak site, Clop made an exception for certain government entities, stating, “if you are a government, city or police service… we erased all your data.”

Following the public listing of victims, new organizations continued to come forward to confirm their involvement in the incident. Johns Hopkins University confirmed a cybersecurity incident it believed was related to the MOVEit mass-hack. The university stated the data breach may have impacted sensitive personal and financial information, including names, contact information, and health billing records. The U.K.’s communications regulator, Ofcom, confirmed that confidential information had been compromised in the attack. This included some data about the companies it regulates and the personal information of 412 Ofcom employees. According to other news reports, Transport for London (TfL), the government body responsible for running London’s transport services, and global consultancy firm Ernst and Young, were also impacted.

The potential scope of the incident was considered significant due to the widespread use of the MOVEit software. Researchers reported that thousands of MOVEit servers, with the majority located in the United States, remained discoverable on the internet, suggesting that many more victims could be revealed in the coming days and weeks. Further analysis from American risk consulting firm Kroll indicated that the Clop gang may have been experimenting with ways to exploit this particular MOVEit vulnerability for almost two years, dating as far back as 2021. This long-term reconnaissance illustrated the sophisticated knowledge and planning that went into the mass exploitation event. The public response from listed victims varied. A spokesperson for the University System of Georgia stated they were evaluating the scope and severity of the potential data exposure and would issue notifications to affected individuals if necessary, consistent with federal and state law. A spokesperson for the German company Heidelberg, which was also listed, stated the incident occurred a few weeks prior, was countered fast and effectively, and based on their analysis did not lead to any data breach. Most other listed victims, including the National Student Clearinghouse, had not yet provided public statements or responded to requests for comment at the time of reporting.