What Happened?
Several third-party vendors providing services to PSU for faculty, staff, and students were breached in the global attack against the MOVEit file transfer software that compromised data at more than 600 organizations and has so far affected nearly 40 million people worldwide. PSU contracts with the National Student Clearinghouse (NSC) to provide student enrollment and degree verification services, along with required data reporting to the U.S. Department of Education related to financial aid loans. Additionally, PSU faculty and staff data is held by TIAA or Corebridge for retirement accounts. NSC, TIAA, and Corebridge are MOVEit customers, and some records provided to these vendors on PSU’s behalf were impacted by the MOVEit data breach. For further reference, NSC has posted a public announcement about the MOVEit security issue affecting its systems.
Although no systems operated or maintained by PSU were breached, we take data privacy and information security very seriously and are providing this notice to communicate the extent to which PSU student, faculty, and staff information was affected by the MOVEit breach.
Vendor-Specific Details
National Student Clearinghouse (NSC)
On June 28, 2023, we learned from NSC that some personal data of our current and former students maintained by NSC was compromised in the global MOVEit breach. Their investigation was ongoing at the time, and they indicated that they would follow up with a list of individuals and the types of data that were affected. We received lists of affected individuals along with a partial list of affected data from NSC on August 14. NSC investigated five data elements: Social Security number, student ID number, date of birth, transcript, and Postsecondary Data Partnership (PDP) data. Of these, PSU had only 4 individuals whose names and dates of birth were exposed and 18,332 individuals whose names only were exposed. We have notified the 4 individuals whose dates of birth were exposed as well as those among the remaining 18,332 individuals whose names were exposed and who had requested confidentiality for their directory records.
However, PSU regularly sends the following data elements to NSC in addition to the five elements they checked for: dates and/or terms of attendance, field of study (major, minor), fact of enrollment - including enrollment status (full-time, half-time, etc.), class standing (freshmen, sophomore, etc.), current address, confidentiality status, and expected graduation date. At this time, it is unknown whether any of the additional data elements were involved in the breach. We are requesting additional details from NSC in order to fully understand what information was exposed for each of the affected individuals.
Teachers Insurance and Annuity Association of America-College Retirement Equities Fund (TIAA) and Corebridge, formerly known as AIG Retirement, or VALIC
On May 29-30th, 2023 the MOVEit server utilized by Public Benefit Information, LLC (PBI) was accessed by an unauthorized third-party. PBI acts as a service provider on behalf of TIAA and Corebridge in the course of providing retirement and benefits services.
On the week of Monday July 10th, 2023 PSU learned that 184 employees or former employees that had previously enrolled in a pension plan with TIAA had personally identifiable information exposed by the unauthorized access of PBI's MOVEit file transfer service. An additional 14 employees or former employees who had enrolled in plans through Corebridge/VALIC/AIG Retirement were also affected by the unauthorized access of PBI's systems.
On the week of Monday July 10th, 2023 PBI sent a letter to affected parties disclosing the breach and offering two years of free credit report monitoring.
Security Recommendations
- Be extra vigilant: It is possible that cybercriminals may leverage stolen personal information from this attack to craft convincing phishing attacks in the coming weeks and months. An email, notice, or text message containing accurate information about you or one of your accounts is not enough to verify authenticity. Verify the source of a message before responding. For example, if a notice looks suspect, search for the company online and call their customer service department directly.
- Monitor your financial accounts and credit: It is always wise to monitor your credit report for unusual activity. Consider putting a credit freeze in place if you believe you are being targeted.
- Secure your accounts: Remember to enable two-factor authentication and to use long, unique passphrases for all of your accounts. Never give someone your password or a two-factor code if asked for it, even if they claim to be from a trusted organization.
For more information, contact the OIT Information Security Team at security@pdx.edu.