Cyber Incident Victim: Lycoming College

On or around May 31, 2023, Lycoming College became aware of a significant privacy breach impacting multiple organizations and institutions of higher education across the United States. The incident did not originate from or directly target Lycoming College's own infrastructure. The college confirmed that no systems maintained internally by Lycoming College were breached. The event was instead a consequence of a vulnerability within MOVEit, a widely used data transfer software. The breach affected two of the college's external service providers, the National Student Clearinghouse (NSC) and the financial services organization TIAA. These third-party entities utilized the compromised MOVEit software, which is owned by Progress Software.

The initial notification received by Lycoming College came from the National Student Clearinghouse. This notification informed the college of a possible impact to its student population. The college did not receive any similar notification from TIAA concerning potential impact to its faculty or staff members at that time. The specifics of the data compromised in the breach were not immediately provided by either NSC or TIAA. Furthermore, no direct communications were received from Progress Software, the parent company of the vulnerable MOVEit application. The lack of detailed information from these external partners meant the full extent of the breach and its precise impact on Lycoming College students, faculty, and staff remained unclear during the initial phase of the incident.

Despite the absence of specific data particulars, the college was able to ascertain the general type of information potentially at risk based on its known data-sharing practices with the affected providers. The data shared with both NSC and TIAA includes personally identifiable information. This category of sensitive data encompasses Social Security numbers and dates of birth. The potential exposure of this information created a significant privacy concern for individuals associated with the college. The college administration expected that NSC, TIAA, and Progress Software would ultimately fulfill their responsibilities by directly contacting any individuals whose data was confirmed to have been compromised, providing them with information regarding necessary next steps.

In response to the incident, Lycoming College activated its Information Security Incident Response Team. This team is comprised of members from Information Technology Services, faculty, and administrators representing various divisions across the institution. The team began meeting frequently to monitor the evolving situation. Their primary role was to gather available information, assess the potential implications for the college community, and coordinate internal communications. The team's activities focused on actively tracking developments from the external service providers and Progress Software, as the root cause and full scope of the breach were entirely outside the college's direct control.

The college's internal response included a proactive communication strategy to ensure transparency with its campus community. A detailed message was disseminated to inform students, faculty, and staff of the situation. This communication clearly stated that Lycoming's own systems were not involved in the security event, providing assurance that the breach was contained to the third-party providers. The message acknowledged the uncertainty surrounding the specific impact but outlined the nature of the data potentially exposed. It also established a dedicated communication channel for the college community, directing any questions or concerns to a specific email address: [email protected]. The response was coordinated and signed by Robert L. Dunkleberger, the Associate Vice President for Library & Information Technology Services, indicating the incident was being managed at a senior administrative level.

The breach was part of a much larger, national-scale cybersecurity event. The vulnerability in the MOVEit file transfer tool was exploited by threat actors, leading to a widespread compromise affecting countless organizations that relied on the software. This context meant that Lycoming College's experience was not isolated but part of a broader pattern impacting higher education and other sectors nationally. The college's reliance on NSC, a central repository for student academic data, and TIAA, a major provider of retirement and financial services, inherently linked it to the fortunes of these partners. The compromise of these vendors' systems through a ubiquitous tool like MOVEit underscores the systemic cybersecurity risks inherent in modern institutional operations and data sharing.

The definitive consequences for Lycoming College individuals remained undetermined at the time of the public communication. There was no information available regarding any malicious use of the data that was potentially compromised. The incident highlighted the college's dependence on external service providers and the associated risks that such relationships introduce, even when the institution's own cybersecurity posture is robust. The continued monitoring by the Information Security Incident Response Team represented the college's commitment to staying informed and providing updates as more concrete information became available from the external entities responsible for the breached systems. The situation remained fluid, with the college awaiting further specifics from NSC and TIAA regarding the exact data elements involved and the identification of affected individuals. The college's response was characterized by a cautious and measured approach, prioritizing the dissemination of confirmed facts while avoiding speculation about the unknown aspects of the incident.