Clearinghouse Gets An F- Grade For Data Breach Affecting Nearly 900 US Schools
Nonprofit NGO National Student Clearinghouse handles student data reporting and exchange, serving 3,600 universities and 22,000 high schools around the United States. However, being “the leading provider of educational reporting, data exchange, verification, and research services” would make the organization a rather interesting target for threat actors looking to acquire significant amounts of student data. This is what has seemingly happened as a data breach notice has gone out to individuals associated with 890 schools who have had their personal information compromised.
Earlier this week, the National Student Clearinghouse reported that a breach had taken place in May of this year. Per the breach notice, the NSC was notified by its third-party software provider that there was an issue with the MOVEit Transfer software. This triggered an investigation into the tool, given the recent breaches involving the software, which led to the discovery that an “unauthorized party obtained certain files from the MOVEit tool.”
This breach led to the compromise of files that contained “personal information such as name, date of birth, contact information, Social Security number, student ID number, and certain school-related records (for example, enrollment records, degree records, and course-level data).” However, it is also noted that the data compromised varies from person to person, as not all affected people had all their information in the breached files. Regardless, given the severity of this breach, NSC is offering free two years of identity monitoring services to all affected by the breach.
It is believed that this breach is thanks to the Clop ransomware group, which has compromised a slew of organizations thanks to the MOVEit vulnerability. This includes a residential energy provider based out of New England as well as photography and personalized items manufacturing company Shutterfly. However, Clop has not yet claimed National Student Clearing House, so we will have to wait and see if it was that group responsible for the attack.