Information Security

July 2023 Global Data Security Incident FAQ

Last modified 7/17/2023

Created 7/11/2023

7/17/2023 Update: Added section for Pension Benefit Information, LLC (PBI), a third party used by TIAA and Genworth Financial, two retirement benefit plan providers used by some ISU employees. Added a general FAQ regarding receiving multiple letters and verifying the legitimacy of letters.

MOVEit Transfer is file transfer software commonly utilized by a diverse range of organizations, including government agencies, financial institutions, healthcare providers, and businesses operating in highly regulated industries. These organizations leverage MOVEit Transfer to securely transfer files between themselves and other parties.

Recently, organizations globally began reporting cyber events and data breaches associated with their operation of this software. Due to the scope and scale of organizations reporting issues, we are making this resource available to provide members of Illinois State University with pertinent information.

General

This section generally describes the MOVEit software and recent incidents.

  • What organizations have reported related incidents?

The latest reports are indicating over 200 individual organizations have directly reported incidents due to this software. While many continue to investigate, a few have reported confirmed data breaches associated with the incidents.

  • What was the cause of the related incidents?

Cybersecurity firms, federal agencies, and other entities have reported that the incidents are due to a previously unknown vulnerability in the software that was exploited. Since the software facilitates file transfer between organizations, it is accessible directly on the public internet. This enabled the attack to easily discover and target these organizations before it was detected.

  • Does ISU operate the software?

No, ISU does not operate MOVEit Transfer and its systems and networks have not been affected by these incidents at other organizations.

  • Is my personal information compromised?

We do not currently have details on individuals that have been impacted by these incidents. Organizations that have confirmed data was breached due to their incidents are beginning to send direct notifications to individuals.

  • What should I do if my information is compromised?

If you receive a direct notification that your personal information has been compromised, it is important to review the details in the notification completely. In most cases, such notifications will explain what information was breached, how it happened, and what the organization is doing to support impacted individuals. Often this will include credit monitoring or identity theft protection services.

If you have not received a direct notification, you can refer to our guidance on Recognizing and Responding to Identity Theft. We provide various resources available to assist you in such situations.

  • What should I do if I receive multiple notification letters?

Due to the nature of the data security incident, it is possible that an individual will receive multiple notification letters. We strongly recommend reading each letter completely to understand what information has been compromised, what services the entity is offering, and where you can get more information. It is possible that one entity will have one set of information while another will have a different set of information. It is in your best interest to follow the steps outlined in each notification letter your receive.

  • How do I verify the legitimacy of a notification letter?

Due to the scale of this data security incident, it is possible that individuals will be targeted by identity thieves with fraudulent notification letters. The information in the letter will be almost identical to legitimate letters, but may include phone numbers and websites that will connect individuals to parties looking to cause harm.

  1. Independently research contact information for the organization listed on the letter. Determine if it is the same phone number, website, and email address or something different.
  2. Independently research whether the organization has publicly reported a data security incident. Rely on news articles or organizations you trust.
  3. Do not provide any financial or payment information. Breached organizations provide free restoration and monitoring services in most cases. While these will often be through other companies such as the credit agencies who do offer paid services, the initial 12-24 months should not require any payment or cost from yourself.
  4. Ask a trusted party to review the letter for you and assess what they think. This can include an experienced family member, your bank, or even an attorney. They may have methods to further validate that are not readily available to yourself.

National Student Clearinghouse (NSC)

Illinois State University (ISU) was notified by the National Student Clearinghouse (NSC) that personal data that they maintain on behalf of the University may have been obtained by an unauthorized party. This section describes the NSC and their incident as it pertains to ISU members.

  • What is the NSC?

The NSC is a non-profit organization that provides a range of educational reporting, data exchange, verification, and research services. It collects, organizes, and stores data related to students' educational progress and achievements.

  • What information does the NSC manage?

Information the NSC collects from institutions can include personally identifiable information such as name, date of birth, student ID, and social security number as well as enrollment status, degree information, transfer information, and course information.

  • What relationship does ISU have with the NSC?

Illinois State University is required to report information about students to the NSC under the Higher Education Act and other federal programs. This information pertains to individuals that are current or recent students and about their educational relationship with the University. Faculty and staff that have not been students at ISU are not expected to be impacted.

Additionally, the NSC provides online transcript ordering services for ISU.

  • How was data managed by the NSC accessed by an unauthorized party?

Per a NSC website (https://alert.studentclearinghouse.org/), the unauthorized party exploited a vulnerability in third-party software the NSC uses called MOVEit Transfer. This software handles file and data transfers between the NSC and other organizations such as ISU. Through exploitation of the vulnerability, the unauthorized party gained direct access to files containing data.  Additional information about this incident is also available on the NSC website.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have attributed mass exploitation of this software vulnerability to a ransomware group. NSC is one of many organizations that uses this software and had the vulnerability exploited.

  • How do I know if the unauthorized party accessed my information?

The NSC has not yet provided the University with information to confirm who may have been impacted. The NSC has stated that their investigation is ongoing and will provide such information once confirmed. When that information is made available by the NSC and shared with ISU, notifications to impacted individuals will be distributed. These notifications may come from the NSC, ISU, or both organizations.

  • What can I do in the meantime before NSC confirms impacted individuals?

Data breaches that involve personal information can result in identity theft and financial loss for impacted individuals. We encourage you to remain vigilant by reviewing your account statements, monitoring your credit reports, and only responding to known or verifiable contacts. You should review our guidance on Recognizing and Responding to Identify Theft for additional information and resources.

If you are identified as an impacted individual, additional information will be provided.

  • Where can I get more information?

The NSC has a dedicated web page for this incident where they are provide the latest available information:

https://alert.studentclearinghouse.org/

As of 12:30 PM on July 17, 2023, NSC continues their investigation of this incident to identify impacted individuals.

Illinois Department of Innovation and Technology (DoIT)

Illinois State University (ISU) departments have received inquiries about an "Important Security Notification" letter from the Illinois DoIT. The letter indicates that this global data security incident has affected their systems and the personal information of those receiving the letter. This section describes DoIT and their incident as we understand it.

  • What is Illinois DoIT?

The Illinois Department of Innovation & Technology (DoIT) delivers statewide technology, innovation and telecommunication services to state government agencies, boards and commissions as well as policy and standards development, lifecycle investment planning, enterprise solutions and privacy and security management.

  • Does DoIT directly provide ISU services?

No, DoIT does not directly provide ISU with technology services.

  • Does ISU work with agencies that receive services from DoIT?

Yes, DoIT provides services to state agencies that ISU works with directly such as the Illinois Department of Central Management Services (CMS), the Illinois Department of Public Health (IDPH), and the Illinois Department of Employment Security (IDES). However, it is unclear whether this data security incident is related to that work.

  • What should I do if I received the letter?

If you received the letter from DoIT, it is important to review the details in the notification completely. The letter provides guidance on protecting your identity as well as instructions on enrolling in credit monitoring services.

  • Does ISU know who received the letter?

No, the letters are directly sent by DoIT and no information has been provided to ISU about recipients or affected individuals.

  • Where can I get more information?

If you have not received the letter, you can refer to the following press release from the agency:

Illinois Department of Innovation & Technology to Provide Credit Monitoring and Call Center to Address Global Data Security Attack 

Pension Benefit Information, LLC (PBI)

Illinois State University was notified by TIAA and Genworth, two retirement benefit plan providers used by ISU, that a third party they utilize, Pension Benefit Information, LLC (“PBI”) or PBI Research Services, experienced a data security incident that resulted in the exposure of personal information. This section describes PBI and their incident as it pertains to select ISU members.

  • Who is PBI?

PBI Research Services is a provider of proactive pension plan management including death audit, locate services, and uncashed check management. PBI serves thousands of clients including some of the largest pension plans, insurance companies, third-party administrators, and financial institutions.

  • How were ISU members impacted?

Teachers Insurance and Annuity Association of America (“TIAA”) and Genworth Financial are two retirement benefit plan providers impacted by the PBI data security incident. Select ISU members have plans with these providers and if they have had their personal information exposed due to the incident, they will be receiving letters directly.

  • How will I know if I was impacted due to the PBI data security incident?

Both TIAA and Genworth have indicated that PBI is distributing notification letters to individuals that had their personal information exposed.

  • What should I do if I receive a letter from PBI?

If you received the letter from PBI, it is important to review the details in the notification completely. The letter provides guidance on protecting your identity as well as instructions on enrolling in credit monitoring services.

  • Where can I get more information about the PBI data security incident??

If you have not received the letter, you can refer to the following from PBI for more information:
https://www.pbinfo.com/faq-consumer/

If you are a TIAA plan member, you may consider contacting them directly. They do not have a dedicate webpage for this incident, but have made this tips resource available:
https://www.tiaa.org/public/pdf/c/cybersafetytips_june_21_2023.pdf

If you are a Genworth plan member, more information from Genworth is available here:
https://www.genworth.com/moveit.html