Data breach affects college students
A data breach affecting nearly 200 colleges and universities is causing some students to feel uneasy as the semester starts and experts urge them to safeguard their information and credit.
Progress, a software development company, announced in May that unauthorized users exploited vulnerabilities in its MOVEit Transfer and MOVEit Cloud programs. The company released a security update days later, but not before Cl0p, a hacker group, gained unauthorized access to people’s personal information, the U.S. Department of Homeland Security announced in June.
The breach particularly hit higher education institutions, as they tend to use multiple second-party websites to offer health insurance for students, such as UnitedHealthcare, and to verify people’s degrees, such as the nonprofit National Student Clearinghouse. Those two websites rely on the MOVEit software to relay information to higher education institutions about current and past students.
KonBriefing, a market research company focused on informational technology, said the ransomware attack affected an estimated 179 colleges and universities in 41 states as of last week. The attack happened weeks after College Decision Day, May 1, and in between college graduations, impacting current and former students.
The National Student Clearinghouse said on its website information from past and current students’ records could’ve been exposed. UnitedHealthcare Student Resources said in July, a combination of students’ birthdays, ID numbers, Social Security numbers and insurance information may have been exposed. Both UnitedHealthcare and National Student Clearinghouse said security updates were made to the systems.
Michigan State University students recently told USA TODAY their perceptions of how well the university manages their information has changed because of the breach. Many learned about it in the fall despite the university’s July alert.
Gabby Sabo, 20, said she had no choice but to give MSU her Social Security number, financial information, address and birthday during the application and enrollment process. She doesn’t know if the breach affected her, but it eroded the trust she has in higher education.
“They should do a better job because they have a lot of information on everyone because you have to give your social security number,” Sabo said.
Charles Cabell, 19, said he doesn’t know if his information was accessed, but wouldn’t be surprised as “everything is at your fingertips” with the internet.
Cabell has been in “many minor data breaches,” including Facebook’s 30 million-person hack in 2018 and Equifax’s 145 million-person breach in 2017, he said.
Progress’ breach exposed personal info about students
Progress doesn’t know what data was accessed in the attack because MOVEit Transfer is an on-premise software that runs on its clients’ computers, according to MOVEit’s information page. Spokesperson John Eddy equated it to a person having a Windows computer, but Microsoft doesn’t see what files are installed.
The U.S. Department of Education said all affected institutions were alerted about the incident more than two months ago. A spokesperson told USA TODAY the department monitors and tracks cybersecurity incidents, but declined questions about how often the incidents occur.
In its 2023 Cost of Data Breach report, IBM said breaches so far cost the education industry $3.65 million this year, down from $3.86 million in 2022.
“People could try to take out loans using that information, attack bank accounts depending on what they have about you and socially engineer you and impersonate you,” said Fred Scholl, a cybersecurity professor at Quinnipiac University in Connecticut.
A class-action lawsuit has been filed against Progress for what filers alleged is negligent handling of personal data in Massachusetts. Progress declined to comment on the lawsuit.
UnitedHealthcare said affected people will receive a form of credit monitoring and identity theft protection services. National Student Clearinghouse has no mention of similar offerings on its website.
Experts: Monitor your credit, password usage
Class-action lawsuits could hold businesses accountable if a court finds them negligent. But Scholl said people don’t have to wait to perform basic security checks on their banking and social media accounts.
“To some extent, individuals have to be their own human firewall to protect their data,” he said.
To do that, Charles Henderson, head of IBM’s XForce, a data security response team, said people should set up a password manager and store all passwords in it. He said many will alert users if a website has been involved in a data breach and prompt people to change their passwords. However, he said many people fall victim to reusing passwords, which he classified as a massive security issue.
Experts have advised people to turn on and use two-factor authentication wherever possible.