National Student Clearinghouse data breach | What you need to know
Updated: July 26, 2023
The National Student Clearinghouse (NSC) recently notified Green River College of a cybersecurity breach involving a vulnerability in one of their third-party software tools, MOVEit Transfer.
While Green River College does not use the MOVEit software and no systems operated or maintained by GRC were breached, the College is actively monitoring the situation and will share relevant future information it receives from NSC. It is important to note that ctcLink was not breached, as this incident is localized to the NSC and MOVEit systems. At this time, National Student Clearinghouse has not provided GRC any additional details or specified what data was affected.
Below is a list of frequently asked questions, which will be continuously updated. NCS has posted details about this incident on its website.
The National Student Clearinghouse (NSC) is a national non-profit with 3,600 partner schools across the country, including Green River College. NSC provides enrollment and degree verification to the National Student Loan Data System, private employers, external scholarship organizations, and member schools to conduct prior and subsequent enrollment reviews.
According to NSC, software provider Progress Software recently announced a security vulnerability related to its MOVEit Transfer product, potentially affecting thousands of organizations worldwide. According to Progress software, an unauthorized party discovered the vulnerability in the MOVEit Transfer software, which could allow unauthorized access to files being transferred using the tool.
Based on NSC's ongoing investigation, they have determined that an unauthorized party obtained certain files transferred through the Clearinghouse's MOVEit environment, including files containing data that is maintained on behalf of some of its customers. NSC has indicated there is no evidence to suggest that the unauthorized party specifically targeted the Clearinghouse or any specific college.
- Upon identifying this vulnerability, the NSC launched an investigation and took steps to secure relevant systems. Their investigation determined that an unauthorized party obtained files which contained personal information that is maintained on behalf of member organizations.
- The Clearinghouse promptly took measures to protect customer data and its systems by applying the relevant security patches and diligently following guidance from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
- The NSC is conducting a third-party forensic review to identify affected institutions and their specific students.
- The NSC will inform any affected college of any compromised student data.
As a precautionary measure, NSC rebuilt the Clearinghouse's entire MOVEit environment, using new installations of the latest operating systems as well as installing a clean copy of the latest version of the MOVEit Transfer application.
Yes. This incident took place within NSC's system and not within Green River's systems. GRC does not use the MOVEit software and our internal student and alumni data systems have not been impacted by this cybersecurity incident.
At this time, we do not know the extent of the data that was compromised. Green River, along with most public and private colleges and universities across the country, provides student data to NSC.
The College's internal employee data systems were not affected by the NCS data breach.
However, the underlying security issue with the MOVEIt Transfer tool has impacted many corporations, government agencies, and organizations worldwide. On July 6, 2023, GRC's Human Resources shared information regarding a data breach from TIAA-CREF, a financial organization that offers investment and insurance services to employees working in the academic, research, medical, governmental, and cultural fields. The data transferred from GRC to TIAA was not compromised. However, TIAA has indicated that Pension Benefit Information, LLC, an outside vendor it shares information with, has been impacted. For full details on this event, please refer to the attached email, or by searching "TIAA-CREF Security Incident" in your Green River email inbox.