Cyber Incident Victim: Vermont State Colleges
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident impacted the Vermont State Colleges due to a breach in the MOVEit software used by its third-party partners, National Student Clearinghouse (NSC) and TIAA. Personally identifiable information for some students and employees was potentially exposed. The institution itself did not host the vulnerable software. The partners are directly notifying affected individuals and have offered credit monitoring services, while the VSC IT department continues to monitor the situation with the service providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A significant number of organizations worldwide were affected by a cybersecurity event related to the MOVEit software utility in late May 2023. The Vermont State Colleges System (VSC) was notified that it was indirectly impacted by this incident because two of its partners, the National Student Clearinghouse (NSC) and TIAA, host the MOVEit software. The VSC itself does not host MOVEit. The breach occurred on the systems of these third-party service providers, leading to a potential exposure of Personally Identifiable Information (PII) belonging to VSC students and employees. The VSC IT department became actively engaged in monitoring the situation on or around May 31, 2023, in partnership with the affected service providers to determine the full extent of the potential data exposure.
The National Student Clearinghouse provides educational reporting, data exchange, verification, and research services to many higher education institutions, including the Vermont State Colleges. The VSC shares student data and information with NSC as part of their standard operations. NSC confirmed to VSC that some of its students were included in the data exposure resulting from the MOVEit software breach. The NSC committed to contacting affected individuals directly if their data was determined to be at risk. NSC also established a dedicated status page on its website to provide information about the incident and its response efforts.
The second partner involved was TIAA, a financial organization that provides investment and insurance services for employees in the nonprofit industry. The VSC shares employee information with TIAA for participation in its retirement plans. According to information provided by TIAA, a vendor they contract with, Pension Benefit Information, LLC (PBI), used the MOVEit software as part of its death claim and beneficiary processes. This third-party vendor's use of the compromised software was the source of the potential exposure of VSC employee data. PBI assumed responsibility for directly notifying individuals whose information was impacted. The notification was to be conducted via mail, and the communication included an offer for free credit monitoring services for a period of two years at no cost to the affected individuals.
In its communications to the VSC community, the administration provided a summary of the information received from its partners and outlined the steps being taken. The primary guidance offered to students and employees was to await direct communication from either NSC or PBI, depending on their affiliation. For employees, the VSC recommended following the specific guidance provided by TIAA to ensure personal data was protected. A document outlining best practices for data protection, as supplied by TIAA, was distributed to employees.
The incident did not originate on or directly impact any internal VSC systems. However, the college system used the event as an opportunity to remind its community of the existing security measures it has implemented to protect personal information. These measures are part of a continuous effort by the VSC IT department and the VSC Cybersecurity Team. Their security practices include a formal vendor review and security vetting process. When onboarding new vendor partners, the cybersecurity team conducts an initial review of the products and services offered, with specific consideration given to how data is stored, what data is shared, who it is shared with, and the vendor's history of past security breaches.
Additional technical security efforts were detailed. Multi-factor Authentication (MFA) is required for all VSC users through the DUO utility to verify all Single-Sign-On (SSO) access to VSC services. This policy had been rolled out to all users in the months preceding the incident. For endpoint protection, the VSC recently partnered with SentinelOne to deploy its Endpoint Detection and Response (EDR) product. This system monitors all VSC-owned devices for malicious software and other threats. Administrative and elevated access privileges are granted on an as-needed basis, a policy designed to reduce the risk of administrative account compromise. These privileged accounts are subject to an annual review conducted by the VSC Cybersecurity Team in conjunction with the corresponding departments to ensure only active users who require such access retain it.
Furthermore, the VSC Cybersecurity department administers phishing tests to all faculty and staff on a semesterly basis. These tests are accompanied by training modules intended to continuously educate users on the importance of secure email usage. The college system reiterated that it will never ask for personal information via email or text message. The response was focused on providing factual information from its partners, advising on next steps for those potentially affected, and reinforcing the institution's commitment to data security through a description of its established protective measures.