On June 24, DataBreaches reported that the National Student Clearinghouse was one of the victims of the MOVEit breach by Clop, In that report, DataBreaches stated that the clearinghouse’s statements to date had not indicated whether they had paid any ransom demand, but DataBreaches had learned that their name had been removed from Clop’s leak site, which is often an indication that a victim paid.
DataBreaches emailed the clearinghouse on June 23 to ask for some straight answers about whether the clearinghouse had paid any ransom demand. They didn’t reply. DataBreaches repeated the inquiry on June 25. Again, there was no reply.
Today, the clearinghouse notified schools. The following was provided to DataBreaches by a recipient:
The National Student Clearinghouse (the “Clearinghouse”) is writing to notify you of a cybersecurity issue that affects certain personal data maintained by the Clearinghouse on behalf of your organization.
As you may be aware, third-party software provider Progress Software recently announced a security vulnerability related to its MOVEit Transfer product, potentially affecting thousands of organizations worldwide. MOVEit Transfer is a tool used by many organizations, including the Clearinghouse, to support the transfer of data files. According to Progress Software, unauthorized actors discovered a vulnerability in the MOVEit Transfer software that could allow unauthorized access to files being transferred using the tool.
Upon learning of this vulnerability, the Clearinghouse promptly launched an investigation and took steps to secure our relevant systems, including implementing patches to the MOVEit software pursuant to Progress Software’s instructions. We reported the issue to law enforcement and have been working with leading cybersecurity experts to understand the issue’s impact on our organization. We have followed, and will continue to follow, recommended guidelines to protect the security of your data and our systems in connection with the issue.
Based on our ongoing investigation, we believe that an unauthorized party obtained certain files transferred through the MOVEit Transfer tool, including files containing personal data that the Clearinghouse maintains on behalf of your organization. We have no evidence that the unauthorized party was specifically targeting your organization’s data on our systems.
While our investigation remains ongoing, we have initiated a review of the affected files and will follow up with additional information regarding the impact to your organization, including a list of individuals whose personal data is identified in the relevant files and the types of data that generally were affected. We are prepared to assist your organization in responding to this issue. Although the Clearinghouse is not able to provide you with legal advice regarding the issue or any related legal notification obligations, if you determine that your organization is required by law to report the issue to affected individuals and regulators, the Clearinghouse will send notification on your organization’s behalf if you would like us to do so. Accordingly, we will follow up with additional information on our offer to assist with notification and how we will coordinate these efforts with your organization.
If you have any questions, please email mailto:[email protected]. We regret that your organization was affected by this issue.
Their notification is more informative than prior updates, but it seems like they just can’t get themselves to be really transparent on the extortion aspect. Their name was never re-listed on the leak site. Did they pay or didn’t they? DataBreaches wouldn’t be surprised if they hadn’t paid, but why won’t the answer the question?