Cyber Incident Victim: New Mexico Military Institute
Date:
May 2023
Location:
United States of America
Summary
The New Mexico Military Institute was notified by the National Student Clearinghouse of a potential data breach stemming from a vulnerability in the MOVEit Transfer tool used by the Clearinghouse. NMMI's own systems were not compromised, but the personal data of its college students transferred for federal reporting requirements may have been impacted. Information pertaining to high school cadets was definitively not involved in this incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 31, 2023, the New Mexico Military Institute (NMMI) was formally notified by the National Student Clearinghouse (NSC) of a potential data security incident. The notification informed NMMI that it might be impacted by a possible data security breach. This breach was not the result of a direct compromise of NMMI's own internal systems or network infrastructure. Instead, the incident originated from a third-party service provider, the National Student Clearinghouse, which experienced a security event involving one of its tools. NMMI's systems were confirmed to be unaffected by this event and were not compromised in any way, as the institute does not itself use the tool in question.
The security incident centered on the MOVEit Transfer tool, a secure file transfer application utilized by the National Student Clearinghouse. The NSC employs this tool to manage and transfer data files containing personally identifiable information on behalf of numerous educational institutions across the United States. The data transferred through this system is a requirement mandated by the U.S. Department of Education for submission to the National Student Loan Data System (NSLDS). This reporting is a standard procedure for tracking student loans and grants, and it only pertains to college-level students. The breach was therefore a supply-chain attack, impacting NMMI through its relationship with and dependence on the NSC for federal compliance reporting.
Upon receiving the notification, NMMI understood that its college student data, which had been transmitted to the NSC, was potentially exposed due to the vulnerability within the MOVEit tool at the NSC's end. The specific nature of the attacker's actions or the exact vulnerability exploited within the MOVEit software was not detailed in the public notification from NMMI. The institute's announcement clarified that the investigation being conducted by the National Student Clearinghouse remained ongoing at the time of the notification. This indicated that the full scope, cause, and extent of the data compromise were not yet fully known to either the NSC or NMMI on May 31, 2023.
A critical point of clarification provided by NMMI concerned the scope of the potential impact and the data definitively not involved. The institute stated unequivocally that high school cadet data was not impacted by this incident. This exclusion also applied to high school cadets who were concurrently enrolled in college courses. This data is not reported through the National Student Clearinghouse and therefore was never present in the files transferred via the compromised MOVEit tool. The potential impact was isolated solely to the college student data that NMMI had provided to the NSC for federal reporting purposes.
NMMI's initial response action was to publicly disclose the notification from the NSC on its official institutional website. This transparency measure served to inform the college student body and other stakeholders of the potential risk to their personal information at the earliest possible opportunity. The institute's statement carefully attributed the source of the incident to the NSC and clarified its own systems' security status. In its communication, NMMI committed to continuing to monitor the situation closely as the NSC's investigation progressed. The institute stated it would await further follow-up from the NSC once their review was complete. This follow-up was expected to include a definitive assessment of the impact specifically to NMMI and, crucially, a list of the individuals whose data was affected.
The incident response strategy adopted by NMMI was one of coordinated waiting and reliance on its third-party provider. Since the data breach occurred within the NSC's infrastructure, the primary investigation and forensic review were the responsibility of the National Student Clearinghouse. NMMI's role was to serve as a conduit of information between the NSC and its potentially affected population. The institute encouraged individuals to proactively monitor their own personal financial information and accounts for any signs of suspicious activity while the matter was being resolved. NMMI pledged to share any additional information it received from the NSC as it became available, indicating a planned ongoing communication strategy dependent on the findings of the external investigation. The full consequences of the incident, including the exact number of affected individuals and the specific data elements exposed, remained undetermined at the time of NMMI's initial public notification, pending the conclusion of the NSC's inquiry.