Cyber Incident Victim: Spalding University

On or around May 31, 2023, Spalding University was formally notified by the National Student Clearinghouse (NSC) of a data security incident. The notification informed the university that an unauthorized party had successfully obtained files from within the NSC’s internal systems. These files potentially contained the personal information of individuals associated with Spalding University, specifically its current and former student population. The university clarified that the breach did not originate from its own infrastructure or information systems. Spalding University does not utilize the software tool implicated in the event and confirmed that information stored directly by the university was not accessed or exfiltrated.

The incident was attributed to the exploitation of a vulnerability within a specific software tool used by the National Student Clearinghouse, identified as MOVEit Transfer. This third-party application is designed for secure managed file transfer. The compromise occurred within the Clearinghouse’s environment, not Spalding’s, meaning the attacker targeted and infiltrated the NSC’s systems directly. The nature of the relationship between Spalding University and the National Student Clearinghouse is operational and mandatory. The university transmits student enrollment data to the NSC to comply with verification requirements set forth by the U.S. Department of Education for student loan programs. Furthermore, the NSC is utilized by the university for the issuance of electronic transcripts, a common practice among academic institutions.

Upon discovery of the breach, the National Student Clearinghouse took action to mitigate the immediate threat. The organization eliminated the specific vulnerability that had been exploited within the MOVEit Transfer tool, thereby securing its systems against the same method of attack. Concurrently, the NSC initiated an investigation to determine the full scope and impact of the incident. This investigation was conducted in coordination with federal law enforcement agencies and other third-party entities. The primary objective was to ascertain precisely which records were extracted from its systems and which individuals, from thousands of affected schools, were impacted.

The National Student Clearinghouse assumed responsibility for all direct victim notification and support efforts resulting from this breach. The NSC provided assurances to Spalding University that it would directly notify any members of the Spalding community found to be affected by the incident. Due to the central role of the NSC in the U.S. higher education ecosystem, the scope of the breach was national in scale, impacting thousands of schools that utilize its services. Consequently, the university advised its students that individuals who had attended multiple colleges might receive several separate notices from the NSC regarding the same breach event.

The potential consequences for affected individuals were related to the exposure of personal information. While the specific data elements pertaining to Spalding students were not detailed in the university’s announcement, the general risk following such an incident involves identity theft and financial fraud. The university’s communication served to inform its community of the event and the source of the breach while directing them to the NSC as the primary entity managing the response. The NSC established a dedicated informational website to serve as a resource for impacted individuals across all institutions, providing a centralized point for updates and guidance. The incident illustrates a supply-chain attack where a vulnerability in a service provider’s software impacted numerous downstream clients, in this case, educational institutions like Spalding University and their respective student bodies. The university’s role was largely informational, as the breach and the subsequent response, including forensic analysis, containment, and victim support, were managed externally by the National Student Clearinghouse.