Cyber Incident Victim: University of Missouri

The University of Missouri System was notified of a potential data breach involving the MOVEit file transfer software used by its outside vendors. This incident, which impacted thousands of organizations worldwide, was publicly reported by national media outlets around May 31, 2023. Upon learning of the issue, university officials immediately initiated an investigation separate from their vendors and notified federal law enforcement. The breach impacted external vendors used by the university to assist in its enrollment and pension processes. Interim vice president for Information Technology, Ben Canlas, stated that while specific information was still being determined, current and former employees, students, and retirees might be impacted. The university's initial investigation concluded that some personal data had been compromised, though the specific types of information and the number and identity of affected individuals had not been confirmed at that early stage.

The Russian hacking group known as CL0P claimed on Friday, May 31, 2023, that the University of Missouri System was among its victims in this global cyberattack. This aligned with warnings from the federal Cybersecurity and Infrastructure Security Agency (CISA) that the group had begun exploiting a vulnerability in the MOVEit Transfer software. A university spokesman, Christian Basi, confirmed the university was aware of CL0P's announcement and was investigating an IT issue that could be a potential security breach, with the MOVEit software involved in that investigation. The university became aware of the issue in early June. Because the software was used on multiple campuses but not by all departments, the investigation encompassed the entire UM System. Webpages for the UM System and the University of Missouri-St. Louis showed the system used the popular file-sharing software.

The investigation identified two specific outside vendors that were impacted. Pension Benefit Information, LLC (PBI), a subcontractor with several university vendors, and the National Student Clearinghouse, which is used to verify academic information and educational data reporting, were both affected. Files from these vendors might have included information from the student record database on current or former students. PBI began notifying impacted individuals and providing resources. The National Student Clearinghouse conducted a review of the affected files, with university officials expecting to receive additional information regarding the impact upon the completion of that review.

According to a data breach notification submitted to the Maine Attorney General's office by the university's legal counsel, the breach was discovered on September 9, 2023. The date the breach occurred was listed as May 31, 2023. The breach was described as an external system breach, or hacking. The total number of persons affected was 118,808, which included 36 Maine residents. The information acquired consisted of a name or other personal identifier in combination with a Social Security Number.

The university provided written notification to affected consumers on October 20, 2023. Identity theft protection services were offered to affected individuals. The services provided were for 24 months through Kroll and included credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. These services were offered specifically to individuals whose Social Security number was exposed.

Another entity, Milliman, Inc., which provides administrative services to employee benefit and pension plan sponsors, also filed a breach notification that provided further technical details on the event impacting PBI. Milliman utilized PBI as a third-party vendor to conduct research on whether plan members and beneficiaries had passed away. For this purpose, Milliman transferred client consumer data to PBI using a secure and encrypted file transfer protocol. PBI notified Milliman that it had experienced a data security incident affecting this data. PBI utilized the MOVEit Transfer software for its secure file transfer protocol servers and stored client data on those servers.

According to information provided by PBI to Milliman, Progress Software disclosed on or around May 31, 2023, that its MOVEit Transfer software contained a previously unknown "zero-day" vulnerability designated CVE-2023-34362. PBI launched an investigation which determined that an unauthorized third party accessed one of PBI’s MOVEit Transfer servers on May 29, 2023, and May 30, 2023, and downloaded data. PBI conducted a manual review of its data to confirm the identities of individuals potentially affected, completing that review on July 21, 2023. It was after this date that PBI confirmed to Milliman that personal information of certain consumers had been affected. This timeline indicates the initial intrusion and data exfiltration from PBI's systems occurred just prior to the public disclosure of the vulnerability by the software maker.

The university advised individuals to take steps to reduce their chances of being a victim of a similar crime, regardless of whether they were impacted by this specific event. Recommended actions included checking credit reports annually, considering placing a credit freeze with credit-reporting agencies, blocking electronic access to Social Security information, remaining suspicious of emails from unknown individuals, and not sharing personal information electronically. It was noted that even with every precaution, individuals could still be victims of crime, and anyone who believed they were a victim of fraud or identity theft was encouraged to file a police report. Federal authorities characterized the campaign as opportunistic and relatively superficial, noting that the intrusions were not being leveraged to gain broader access or persistence into targeted systems. A senior CISA official confirmed that neither the U.S. military nor the intelligence community were affected by the broader campaign.