Cyber Incident Victim: Rockhurst University

Rockhurst University became aware of a cybersecurity incident on or around May 28, 2023, through notifications received from two of its third-party service providers. The university was informed by the National Student Clearinghouse (NSC) and its retirement plan provider, the Teachers Insurance and Annuity Association (TIAA), that their respective organizations had been impacted by a widespread cybersecurity breach. This large-scale attack targeted numerous entities across the nation that utilized the MOVEit file transfer software. The university's involvement was not due to a direct compromise of its own internal infrastructure or servers but was a consequence of the breach at these external vendors with which it shared data.

The nature of the data processed by these third parties meant that sensitive personal information was potentially at risk. The National Student Clearinghouse handles student data as part of federal reporting requirements, while TIAA administers retirement plan benefits for faculty and staff. The specific types of personal information involved in these transfers included Social Security numbers and dates of birth. The exact scope of the data exposure related to Rockhurst University's constituents, however, was not immediately known. As of the university's public statement on May 31, 2023, neither NSC nor TIAA had yet determined what, if any, information specific to Rockhurst students, faculty, or staff was actually accessed or exfiltrated by the attackers as a result of the vulnerability exploitation.

The incident did not originate from within Rockhurst University's own systems. The compromise occurred within the environments of the National Student Clearinghouse and TIAA, who were the direct users of the vulnerable MOVEit application. This distinction meant that the university's internal cybersecurity measures were not bypassed and its direct network operations were unaffected. The university's role shifted to that of an affected entity relying on its partners for information regarding the breach's impact and for guidance on the appropriate response measures. The primary impact on the university was the potential exposure of its community members' sensitive personal data, which carried inherent risks of identity theft and financial fraud.

In response to the notifications, Rockhurst University initiated a monitoring process to track the situation as it developed. The university administration began working closely with officials from both the National Student Clearinghouse and TIAA to understand the full extent of the breach and to coordinate on subsequent steps. This collaboration was essential for determining the facts of the data exposure and for planning any necessary remedial actions. The university's immediate response was focused on gathering accurate information from its partners rather than on internal containment, as the threat actor had not gained access to university-owned systems.

The university committed to communicating transparently with its community as more details were confirmed. Its public statement indicated that information, along with any recommendations for individuals who might be affected, would be shared as it became available from the third-party providers. The response strategy was therefore dependent on the findings and actions of the National Student Clearinghouse and TIAA, who were conducting their own investigations into the breach. The university awaited their guidance on next steps, which could include identity monitoring services or other protective measures for those whose data was confirmed to be involved. The chronology of the event from the university's perspective began with the notification from its partners, was followed by an internal assessment of the potential impact, and continued with ongoing coordination with those vendors to manage the consequences of a security incident that originated far outside its own control.