Worcester State University has recently been notified by the National Student Clearinghouse (NSC) of a data breach that involved personal student data that the Clearinghouse maintains on behalf of the vast majority of US higher education institutions. According to NSC, an unauthorized third party obtained certain files, including Worcester State University student data files, transferred by NSC through the MOVEit Transfer tool, a file transfer software product.
Upon learning of this vulnerability, NSC launched an investigation and took steps to secure its systems. This incident took place within NSC’s system and not within Worcester State’s systems. The university does not use MOVEit software. Worcester State University’s internal data systems for student and alumni records are secure and have not been impacted by this cybersecurity incident.
At this time, NSC has provided Worcester State no further details or specific information about the data that were affected. NSC has informed the university that it is working with a third-party vendor to review affected files and identify individuals whose personal information appears in the files. Once the review is complete, NSC has indicated it will provide Worcester State with a list of affected individuals. At that time, Worcester State will work with NSC to notify any individuals impacted.
Individuals with questions can contact the Office of the Registrar at firstname.lastname@example.org or 508-929-8035.
What is the National Student Clearinghouse?
The NSC is a non-profit organization founded in 1993 to provide educational reporting, research, and data services for more than 3,600 colleges and universities.
According to NSC, software provider Progress Software recently announced a security vulnerability related to its MOVEit Transfer product, potentially affecting thousands of organizations worldwide. According to Progress software, an unauthorized party discovered the vulnerability in the MOVEit Transfer software, which could allow unauthorized access to files being transferred using the tool.
Based on NSC’s ongoing investigation, they have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that is maintained on behalf of some of its customers. NSC has indicated there is no evidence to suggest that the unauthorized party specifically targeted the Clearinghouse or Worcester State University.
Are Worcester State University’s data systems safe?
Yes. While it is impossible to guarantee 100% cybersecurity, this incident took place within NSC’s system and not within Worcester State’s systems. The university does not use MOVEit software. Worcester State University’s internal student and alumni data systems have not been impacted by this cybersecurity incident.
What information was contained in the files?
At this time, we do not know the extent of the data that was compromised. Worcester State, along with most public and private colleges and universities across the country, provides student data to NSC.
Does this incident involve the records of any alumni?
The university’s internal alumni data systems were not affected by this incident.
However, since we have no information about the specific files and data that were impacted, we do not yet know if data of students who have now graduated were involved.
Does this incident involve employee records held by the university?
The university’s internal employee data systems were not affected by this incident.
However, the underlying security issue with the MOVEIt Transfer tool has impacted many corporations, government agencies, and organizations worldwide. It is possible that an individual may receive notification of a security issue from a different organization.
How has Worcester State responded to this incident?
Worcester State University takes student data privacy very seriously. University leaders are in active communication with the National Student Clearinghouse to receive updates and coordinate information. Internally, the Executive Cabinet, legal counsel, and IT security staff are working together to respond to the incident. In addition, the university has notified the following agencies of the data breach:
- Massachusetts Attorney General’s Office
- Massachusetts Comptroller’s Office
- Massachusetts Secretary of State Office
- Massachusetts Office of Consumer Affairs and Business Regulation (OCABR)
- Massachusetts Executive Office of Technology Services and Security (EOTSS)
- Massachusetts Department of Higher Education (DHE)
- U.S. Department of Education (USDOE)
How soon will I know if my data was compromised?
On July 12, NSC notified the university that it is working with a third-party vendor to review affected files and expects that review to be completed within the next few weeks. After that, NSC will begin providing its customers, including Worcester State, with more information on individuals affected. Worcester State University will work with NSC to ensure affected individuals are promptly notified.
What can I do to protect my personal data?
Here are some general guidelines to follow:
- Keep mobile devices and apps updated
- Don’t click random links or visit unknown websites
- Delete or report suspicious emails to avoid granting access to accounts
- Update and secure all home devices connected to the internet
- Use strong passwords and two-factor authentication and confirm privacy settings
- Practice safe social media use; be careful not to post personal/sensitive information
- Avoid free Wi-Fi networks to prevent compromising sensitive information
- Secure home Wi-Fi networks and digital devices by changing the factory password
- Optimize operating system, browser, and security software by installing recommended updates
Statement by President Barry M. Maloney Re: Supreme Court Decision Barring Affirmative Action in University Admissions
President Barry M. Maloney released the following statement on the Supreme Court's June 29, 2023 decision in Students for Fair Admissions Inc. v. President & Fellows of Harvard College, . . .