Cyber Incident Victim: Bates College

On or around May 30, 2023, Bates College, an educational institution located at 217 Lane Hall, 2 Andrews Road in Lewiston, Maine, was impacted by a data security incident. The event did not constitute a direct breach of the college's own internal systems but was instead the result of security compromises at two separate third-party service providers with which the college conducts business. The first incident involved a company known as PBI, a business associate of The Hartford, with which Bates also does business. The specific nature of the breach at PBI was not detailed in the available information. The second incident was attributed to the widespread MOVEit file transfer software breach, which compromised two other third-party companies utilized by Bates College: TIAA and the National Student Clearinghouse. The college provides its data to these entities as part of its normal business operations.

The discovery of these incidents did not occur simultaneously. The breach involving PBI, which occurred on May 30, 2023, was reported to the college by The Hartford; however, the specific date on which Bates College first learned of this particular compromise was not provided by The Hartford in the notification. In contrast, the separate breach impacting the TIAA and National Student Clearinghouse vendors, which also occurred on May 30, 2023, was discovered by the college on June 20, 2023. This delay between the occurrence and discovery of the incident is consistent with many third-party data breaches where the affected organization is notified by its business partner after the fact.

The collective impact of these separate but contemporaneous third-party incidents affected a total of 408 individuals associated with Bates College. The breach involving PBI and The Hartford was limited in scope, affecting 15 individuals, all of whom were residents of Maine. The more significant compromise stemmed from the MOVEit breaches at TIAA and the National Student Clearinghouse, which affected 393 persons. Of this group, 250 were identified as Maine residents. The total number of affected Maine residents across both incidents was 265. Because the total number of affected Maine residents did not exceed 1,000 in either case, there was no requirement to notify consumer reporting agencies.

The type of personal information acquired in both incidents was consistent. The compromised data consisted of a name or other personal identifier in combination with the individual's Social Security Number. This combination of data elements is considered highly sensitive as it can be used for identity theft and financial fraud. No other specific data types, such as financial account information or dates of birth, were mentioned in the provided breach notifications.

The responsibility for notifying the affected individuals was managed by the third-party providers involved. For the PBI breach, The Hartford, through PBI, was scheduled to begin providing written notice to the impacted Bates employees on or about the week of July 31, 2023. For the MOVEit-related breaches impacting TIAA and the National Student Clearinghouse, written notification to the affected Maine residents was carried out on July 3, 2023. Bates College submitted both breach notifications to the Maine Attorney General's office on May 31, 2023, through its Director of Information Security, Privacy, and Compliance, Chad Tracy.

In response to the exposure of sensitive personal information, identity theft protection services were secured for the victims of both incidents. For the individuals affected by the PBI breach, The Hartford engaged the services of Kroll to provide comprehensive identity monitoring at no cost for a period of 24 months. The services described include credit monitoring, fraud consultation, and identity theft restoration. For the individuals affected by the MOVEit breaches at TIAA and the National Student Clearinghouse, similar identity theft protection services were also offered for a duration of two years, though the specific provider of these services was not named in the second notification.

The incident highlights a growing trend in cybersecurity where an organization's data security posture is dependent not only on its own defenses but also on the security practices of its various vendors and partners. Bates College itself was not the direct target of a cyberattack on its infrastructure; the compromise originated entirely within the systems of its business associates. The college's role was that of a data controller whose entrusted information was exfiltrated from a third-party data processor. The operational impact on Bates College's own academic or administrative functions appears to have been minimal, as the core event did not involve a disruption to its internal networks, systems, or services. The primary consequences were the potential risk to the personal information of its affected employees and other associated individuals, necessitating a response focused on consumer notification and the mitigation of potential future identity fraud. The college's internal response involved its information security leadership managing the communication with the third parties and fulfilling its legal obligation to report the breaches to the appropriate state authorities in a timely manner.