The National Student Clearinghouse (NSC) revealed a recent data breach impacted 890 schools that use its services.
A breach notification letter filed with the Office of the California Attorney General said the Cl0p ransomware gang gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files containing personally identifiable information (PII).
Clearinghouse is a nonprofit that provides educational reporting, data exchange, verification, and research services to approximately 22,000 high schools and 3,600 colleges and universities, which make up roughly 97% of students in public and private institutions, according to Bleeping Computer.
“On May 31, 2023, the Clearinghouse was informed by our third-party software provider, Progress Software, of a cybersecurity issue involving the provider’s MOVEit Transfer solution,” NSC wrote in the letter. “After learning of the issue, we promptly initiated an investigation with the support of leading cybersecurity experts. We have also coordinated with law enforcement.”
The stolen PII contained names, birth dates, contact information, Social Security numbers, student ID numbers and other school-related records. NSC said it has implemented patches to the MOVEit software and additional monitoring measures to further protect its systems and customers’ data. It is also offering identity monitoring services at no cost for two years.
In late May, the Cl0p ransomware gang began exploiting an SQL injection vulnerability in the MOVEit Transfer platform, leveraging a zero-day security flaw and gaining access to an underlying database, reports Help Net Security. Starting June 15, the cybercriminals started extorting organizations that fell victim to the attacks, exposing names on its dark web data leak site.
In late June, NSC notified the impacted schools about the breach but did not provide many details as the investigation was ongoing. At that time, Databreachnet.com reported that NCS’s name had been removed from Cl0p’s leak site, “which is often an indication that a victim paid.”
The breach has affected many organizations across the globe, including governments, financial institutions, pension systems, and other public and private entities. Among the victims are multiple U.S. federal agencies and two U.S. Department of Energy entities.
Coveware, a cyber extortion incident response firm, estimates the gang will collect around $75-100 million in payment due to high ransom requests.
Another version of this article originally appeared on our sister-site Campus Safety on September 25, 2023. It has since been updated for My TechDecisions’ audience.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!