The National Student Clearinghouse, an education nonprofit that provides report, verification and research services, has disclosed that it was compromised and that data from nearly 900 universities and colleges has been stolen.

According to NSC, the compromise occurred through a vulnerability in one of its third-party software tools, MOVEit Transfer. In a notice of data breach, the NSC claims that it was informed of the issue by Progress Software, the makers of MOVEit, on May 31 and, after becoming aware of it, initiated an investigation and coordinated with law enforcement. The nonprofit then learned on June 20 that an unauthorized party had obtained certain files from the MOVEit tool.

Personally identifiable information stolen included names, dates of birth, contact information, Social Security numbers, student ID numbers and some school-related records. The breach notice notes that the data stolen varies between individuals.

Exactly how many students may have been affected has not been disclosed, with the NSC only saying that it involves 890 universities and colleges it provides services to. A list of affected universities and colleges has been published and notable on the list are California State University, Harvard University and Stanford University. Potentially, the records stolen could be in the hundreds of thousands, if not significantly more.

MOVEit is managed file transfer software designed to provide secure and compliant file transfers for sensitive data within and between organizations. A vulnerability in the software discovered earlier this year, officially designated CVE-2023-34362, allows an unauthenticated, remote attacker to send a specially crafted SQL injection to a vulnerable MOVEit Transfer instance.

Although the NSC has not named a group behind the attack, previous attacks involving the MOVEit vulnerability have involved the Clop ransomware gang. Clop does not currently have the NSC compromise listed on its dark web leaks site, but that could change.

Previous victims of the Clop ransomware gang via the MOVEit vulnerability include the BBC, British Airways Plc and the pharmacy chain Boots UK Ltd., the U.S. Department of Energy, Shell Plc, UnitedHealthcare Student Resources, the University of Georgia, the University System of Georgia, Heidelberger Druckmaschinen AG and Landal Greenparks.

“As yet another organization joins the long list of MOVEit victims, the vulnerabilities and inadequacies of the traditional defensive-based cybersecurity techniques organizations are still relying on are highlighted,” Darren Williams, founder and chief executive of ransomware prevention company BlackFog Inc., told SiliconANGLE. “The education sector remains one of the top targeted sectors for cyberattacks, emphasizing the need for schools to invest in more updated technologies that enable them to keep up with the quickly evolving techniques attackers use against them. It will be some time before we know the full extent of this breach, and meanwhile, the MOVEit exploit victims list will inevitably grow.”

Darren Guccione, co-founder and CEO of password and secrets management company Keeper Security Inc., highlighted the risk that zero-day or unpatched vulnerabilities present, noting that they can lead to data theft, system compromise, or other malicious activities.

“As cyber teams continue to address this spate of attacks, the news should serve as a wakeup call to every organization that this serious zero-day vulnerability must be remediated immediately,” Guccione explained. “All organizations should take a proactive approach to regularly update software and immediately patch vulnerabilities that are being actively exploited in the wild.”

Image: Bing Image Creator