Cyber Incident Victim: Boston University

In late May 2023, Boston University became aware of a significant vulnerability discovered in a file transfer software package known as “MoveIT,” which is produced by Progress Software. This awareness was not due to a direct impact on the university's own systems but stemmed from the broader cybersecurity advisory landscape, including an official advisory released by the federal Cybersecurity & Infrastructure Security Agency (CISA) on June 1st. The university promptly confirmed that it was not a customer of the MoveIT software and had not utilized it internally; therefore, its own infrastructure was not directly compromised by this specific vulnerability. The incident, however, quickly evolved into a substantial third-party data breach scenario for the university community due to its vendors' use of the compromised software.

The core of the incident involved data breaches at several external vendors with whom Boston University had established relationships. These third-party entities had employed the vulnerable MoveIT software in their own operations, and attackers exploited the vulnerability to gain unauthorized access to their systems. Consequently, data pertaining to members of the Boston University community, which had been shared with these vendors for legitimate business purposes, was exposed. The university began receiving formal notifications from these vendors informing them of the breaches and the potential impact on university students, faculty, and staff.

One of the first vendors to provide notification was NASCO, which operated as a subcontractor to Blue Cross Blue Shield of Massachusetts (BCBSMA). NASCO had access to personal data belonging to Boston University employees who were enrolled in BCBSMA health plans through the university. The breach at NASCO meant that sensitive health and personally identifiable information for these employees was potentially accessed by unauthorized actors. In response to this notification, Boston University directed its community members with questions to contact its Human Resources department via a dedicated email address, [email protected]. The primary responsibility for directly notifying the affected individuals, however, rested with NASCO itself.

A second vendor, Pension Benefit Information (PBI), also notified Boston University of a breach. PBI served as a subcontractor for two of the university's financial services providers: Fidelity Investments and the Teachers Insurance and Annuity Association of America (TIAA). The data accessible to PBI was related to a subset of university employees who had accounts with these retirement services providers. This breach potentially exposed financial and personal information specific to those select employees. Similar to the NASCO breach, the university instructed its community to direct inquiries to the [email protected] address, while the duty for issuing individual breach notifications fell to PBI and its partnering firms, Fidelity and TIAA.

The third vendor involved was the National Student Clearinghouse (NSC), a nonprofit organization that provides critical educational reporting, verification, and data exchange services to thousands of institutions. The NSC suffered a breach through the MoveIT vulnerability, which compromised some of the student data it held for Boston University. Upon initial notification, the university had limited specific details beyond the public advisory posted by the NSC itself. As of July 13th, 2023, the university's public statement indicated that more information was expected in the coming weeks, and the institution committed to updating its community as those details became available. The scope of the impact on students remained unclear at that time.

A subsequent update to the incident occurred on August 14th, 2023, when Boston University learned from the National Student Clearinghouse that the breach had indeed impacted a very small number of BU students. With this confirmation, the university announced that these affected students would receive direct notification from the University Registrar's office. This marked a shift from the other vendor breaches, where the third parties handled notifications; in this case, the university took on the direct responsibility of informing the impacted students. The exact nature of the student data exposed was not detailed in the available information.

Throughout the event, Boston University's primary response action was to communicate transparently with its community via its TechWeb blog. The university emphasized its serious approach to protecting community data and its active role in working with the affected vendors. This collaboration ensured that the vendors fulfilled their obligations to identify and directly notify impacted individuals, as is standard practice in third-party data breaches. The university served as a central point for information, providing a consolidated list of involved vendors and clear guidance on where to send questions, thereby managing the flow of information and reducing confusion.

The impacts of this incident were exclusively confined to data exposure through third-party service providers. No internal Boston University systems, servers, or networks were breached or otherwise compromised. The consequences were therefore related to the potential misuse of personal data that had been entrusted to vendors for administrative functions, including health insurance processing, retirement services management, and educational verification. The university's response was characterized by monitoring the situation, relaying information from vendors to its community, and awaiting further updates to fully understand the complete scope of the data exposure across all three third-party incidents.