The MOVEit saga continues to claim more victims, after an education non-profit revealed that 890 US schools signed up with it had been breached.
The National Student Clearinghouse offers degree and enrolment verification services, among other things, with a network of 3600 participating colleges and universities, and 22,000 high schools.
However, in a breach notification letter posted to the website of the Office of the California Attorney General, the non-profit revealed for the first time the scale of a May data breach impacting many of these members.
It said it was informed about the incident involving managed file transfer software MOVEit by its developer Progress Software.
Read more on MOVEit: Critical Zero-Day Flaw Exploited in MOVEit Transfer
“After learning of the issue, we promptly initiated an investigation with the support of leading cybersecurity experts. We have also coordinated with law enforcement. Through our investigation, on June 20, 2023, we learned that an unauthorized party obtained certain files from the MOVEit tool. The issue occurred on or around May 30, 2023,” the notice explained.
“The relevant files obtained by the unauthorized third party included personal information such as name, date of birth, contact information, Social Security number, student ID number, and certain school-related records (for example, enrollment records, degree records, and course-level data). The data that was affected by this issue varies by individual.”
The National Student Clearinghouse said it has patched the software and put additional monitoring capabilities in place, while also offering victims identity monitoring services for two years.
The full list of impacted education institutions covers schools, colleges and universities across the US.
The total cost of the MOVEit operation is still being counted, although hundreds of organizations like the National Student Clearinghouse are thought to have been impacted, affecting millions of downstream users and customers across the globe.
Experts have suggested that ransomware outfit Clop could make as much as $100m from extorting these victims, even if just a small percentage pay up.