National Student Clearinghouse data breach impacts 890 schools

U.S. educational nonprofit National Student Clearinghouse (NSC) has disclosed a data breach affecting 890 schools using its services across the United States.

In a breach notification letter filed with the Office of the California Attorney General, Clearinghouse said that attackers gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files containing a wide range of personal information.

"On May 31, 2023, the Clearinghouse was informed by our third-party software provider, Progress Software, of a cybersecurity issue involving the provider's MOVEit Transfer solution," NSC said.

"After learning of the issue, we promptly initiated an investigation with the support of leading cybersecurity experts. We have also coordinated with law enforcement."

The personally identifiable information (PII) contained in the stolen documents includes names, dates of birth, contact information, Social Security numbers, student ID numbers, and some school-related records (e.g., enrollment records, degree records, and course-level data).

According to the data breach notification letters, the data exposed in the attack varies for each affected individual. The complete list of educational organizations affected by this massive data breach can be found here.

NSC provides educational reporting, data exchange, verification, and research services to roughly 22,000 high schools and around 3,600 colleges and universities.

The organization says its participants enroll roughly 97% of students in public and private institutions.

In August, NSC revealed in a data breach filing with the Office of Maine’s attorney general that over 51,500 people were impacted in the incident.

Clop ransomware gang behind the MoveIT hacks

The Clop ransomware gang is responsible for the extensive data-theft attacks that started on May 27, leveraging a zero-day security flaw in the MOVEit Transfer secure file transfer platform.

Starting June 15, the cyber criminals began extorting organizations that fell victim to the attacks, exposing their names on the group's dark web data leak site.

The fallout from these attacks is anticipated to impact hundreds of organizations globally, with many already notifying affected customers over the past four months.

Despite the widespread potential victim pool, estimates from Coveware suggest that only a limited number are likely to yield to Clop's ransom demands. Nonetheless, the cybercrime gang is expected to collect an estimated $75-100 million in payments due to the high ransom requests.

Reports have also revealed that multiple U.S. federal agencies and two U.S. Department of Energy (DOE) entities have fallen prey to these data theft and extortion attacks.

H/T Brett Callow