Cyber Incident Victim: University of Rochester
Date:
May 2023
Location:
United States of America
Summary
The University of Rochester was impacted by a cybersecurity incident resulting from a software vulnerability in the third-party MOVEit file transfer tool exploited by the Clop ransomware gang. The unauthorized access led to the theft of personal information, including names and Social Security numbers, affecting a significant number of students, faculty, and staff. The university worked with the FBI and external forensic experts to investigate the breach and subsequently offered affected individuals identity protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 27, 2023, a cybersecurity incident occurred at the University of Rochester. The incident was the result of a software vulnerability in MOVEit, a file transfer product provided by a third-party vendor. This vulnerability, tracked as CVE-2023-34362, was a zero-day exploit being leveraged by the Clop ransomware gang in a widespread, global attack campaign. The University of Rochester, along with the government of Nova Scotia, Canada, were among the first organizations in North America to confirm data theft as a result of this exploitation. The university publicly revealed the attack in a statement issued on Friday, June 2, 2023.
The University stated that the vulnerability had impacted approximately 2,500 organizations worldwide. The initial university announcement on June 2nd indicated that faculty, staff, and students could be impacted, but the full scope of the impact and the specific nature of the personal data accessed were not yet known as the investigation was ongoing. The university’s initial internal assessment estimated that 41,000 students, faculty, and staff could be vulnerable. The university promptly took action following the discovery of the incident. Its IT staff began working closely with the FBI and an outside digital forensics firm to determine what information was compromised and what actions needed to be taken.
The incident was formally reported to the Office of the Maine Attorney General, as required by data breach notification laws. This filing, submitted by counsel for the university, provided more precise figures on the scope of the incident. It stated the total number of persons affected was 88,025, which included 91 Maine residents. The date the breach occurred was listed as May 27, 2023. The date the breach was discovered was listed as July 19, 2023. The description of the breach was categorized as involving a third-party vendor and unauthorized access. The specific information acquired was identified as names in combination with Social Security Numbers.
The university’s response and investigation timeline shows that the determination of the full impact was a process that unfolded over several weeks. While the incident occurred in late May and was publicly acknowledged in early June, the specific details of what data was taken and who was affected were not fully known until later in the summer. On July 28, 2023, the University of Rochester began notifying by mail the individuals whose personal information may have been involved. This notification was confirmed in the Maine AG filing, which listed the same date for consumer notification. The method of notification was written letter.
As part of its response to the breach, the University of Rochester offered identity theft protection services to the affected individuals. The services were provided by Experian IdentityWorks and were offered for a duration of two years. This offering was detailed in the formal breach notification submitted to the state of Maine. In its initial public communication on June 2nd, the university had also urged everyone in the community to take proactive steps, including changing passwords, using multi-factor authentication where available, and checking credit cards and financial accounts for any suspicious activity.
The attackers behind the incident were identified as the Clop ransomware gang, which claimed responsibility for the exploitation of the MOVEit vulnerability. Cybersecurity analysts noted that this group has a history of targeting popular file transfer tools, including Fortra’s GoAnywhere product and Accellion’s File Transfer Appliance. In this case, the group’s method of attack was characterized as a “steal and extort” operation rather than a traditional ransomware attack that encrypts systems. This means the primary objective was to exfiltrate sensitive data and then attempt to extort payment from the victims by threatening to release the stolen information.
The MOVEit software vendor, Progress, responded to the discovery of the vulnerability by promptly launching an investigation and alerting customers. The company reported that it disabled web access to MOVEit Cloud to protect its cloud customers, developed a security patch to address the vulnerability, made it available to its MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within a 48-hour period. The company also stated it had implemented third-party validations to ensure the patch corrected the exploit and was continuing to work with cybersecurity experts and had engaged with federal law enforcement agencies.
The impact of the global attack campaign extended far beyond the University of Rochester. Major companies including the BBC, British Airways, and the Irish carrier Aer Lingus also announced data breaches. These organizations confirmed that the personal data of their staff was exposed due to a cyber incident impacting their common payroll provider, Zellis, which also utilized the vulnerable MOVEit software. The widespread nature of the attack highlighted the significant supply chain risk posed by vulnerabilities in commonly used third-party software products.
The investigation into the University of Rochester incident involved multiple parties, including the university's own IT team, an external digital forensics firm, and federal law enforcement, specifically the FBI. The complexity of such investigations was noted by experts from the Identity Theft Resource Center, who indicated that determining the full damage can be a long-tailed event. The potential consequences for victims include the immediate risk of identity fraud, such as the creation of new bank accounts, as well as the possibility that the stolen data could be held for years before being used maliciously. The attackers are typically sophisticated, well-organized groups often based in Eastern Europe and South Asia, and the likelihood of them being caught and prosecuted is considered extremely low. The University of Rochester's notification process and offer of credit monitoring services concluded the initial public response to the confirmed theft of sensitive personal information.