DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

National Student Clearinghouse notifies schools of MOVEit breach

Posted on June 28, 2023 by Dissent

On June 24, DataBreaches reported that the National Student Clearinghouse was one of the victims of the MOVEit breach by Clop, In that report, DataBreaches stated that the clearinghouse’s statements to date had not indicated whether they had paid any ransom demand, but DataBreaches had learned that their name had been removed from Clop’s leak site, which is often an indication that a victim paid.

DataBreaches emailed the clearinghouse on June 23 to ask for some straight answers about whether the clearinghouse had paid any ransom demand. They didn’t reply. DataBreaches repeated the inquiry on June 25. Again, there was no reply.

Today, the clearinghouse notified schools. The following was provided to DataBreaches by a recipient:

The National Student Clearinghouse (the “Clearinghouse”) is writing to notify you of a cybersecurity issue that affects certain personal data maintained by the Clearinghouse on behalf of your organization.

As you may be aware, third-party software provider Progress Software recently announced a security vulnerability related to its MOVEit Transfer product, potentially affecting thousands of organizations worldwide. MOVEit Transfer is a tool used by many organizations, including the Clearinghouse, to support the transfer of data files. According to Progress Software, unauthorized actors discovered a vulnerability in the MOVEit Transfer software that could allow unauthorized access to files being transferred using the tool.

Upon learning of this vulnerability, the Clearinghouse promptly launched an investigation and took steps to secure our relevant systems, including implementing patches to the MOVEit software pursuant to Progress Software’s instructions. We reported the issue to law enforcement and have been working with leading cybersecurity experts to understand the issue’s impact on our organization. We have followed, and will continue to follow, recommended guidelines to protect the security of your data and our systems in connection with the issue.

Based on our ongoing investigation, we believe that an unauthorized party obtained certain files transferred through the MOVEit Transfer tool, including files containing personal data that the Clearinghouse maintains on behalf of your organization. We have no evidence that the unauthorized party was specifically targeting your organization’s data on our systems.

While our investigation remains ongoing, we have initiated a review of the affected files and will follow up with additional information regarding the impact to your organization, including a list of individuals whose personal data is identified in the relevant files and the types of data that generally were affected. We are prepared to assist your organization in responding to this issue. Although the Clearinghouse is not able to provide you with legal advice regarding the issue or any related legal notification obligations, if you determine that your organization is required by law to report the issue to affected individuals and regulators, the Clearinghouse will send notification on your organization’s behalf if you would like us to do so. Accordingly, we will follow up with additional information on our offer to assist with notification and how we will coordinate these efforts with your organization.

If you have any questions, please email mailto:[email protected]. We regret that your organization was affected by this issue.

Their notification is more informative than prior updates, but it seems like they just can’t get themselves to be really transparent on the extortion aspect. Their name was never re-listed on the leak site. Did they pay or didn’t they? DataBreaches wouldn’t be surprised if they hadn’t paid, but why won’t the answer the question?

Related posts:

  • CMS Notifies Additional Individuals Potentially Impacted by MOVEit Data Breach
  • State governments among victims of MoveIT Transfer breach
  • Health data of more than 8 million people accessed by MOVEit hackers: US govt contractor
  • Hackers Using MOVEit Flaw to Deploy Web Shells, Steal Data
Category: HackMiscellaneousU.S.

Post navigation

← HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000
‘No credible evidence,’ Formal complaint filed against local doctor at center of alleged cyber attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.