A cyberattack targeted the National Student Clearinghouse (NSC) and exposed DePaul students’ names. The nonprofit serves as a verification tool for over 3,600 colleges and universities, ensuring student identity and facilitating data exchange.
In an email to students about the attack, DePaul officials reassured that students’ privacy and account information are not significantly at risk following the attack.
According to an update from the NSC, the breach occurred in May due to hackers taking advantage of a zero-day vulnerability — an exposure in a system or device undisclosed to its developers — in the MOVEit file transfer solution. This software, developed by Progress Software Corporation and used by many organizations, including NSC, is designed for securely transferring large volumes of sensitive files.
Following the incident, the Clop Ransomware group, a Russian-based hacker association, admitted to orchestrating a major data breach in June. This attack has impacted over 1,000 organizations, such as banks, hospitals, airlines and major energy companies, and affected over 60 million people. Following a post on Clop’s dark web platform, the group stated that they intended to reveal the “secrets and data” of the victims who did not agree to negotiate or pay the ransom they demanded.
DePaul assistant professor Zhen Huang explained that cyberattacks, such as the MOVEit data breach, are typically motivated by a desire for financial gain rather than espionage, social or political reasons.
“Typically, what they [the ransomware group] will do is they will compromise an organization or people’s computer system and they will then ask for a multimillion-dollar ransom,” Huang said. “If people don’t want to pay them, they will threaten to make other people’s computer systems inoperable or they will publish the sensitive or private information.”
It is unclear if any victims have paid the group. However, according to Coverware, a ransomware recovery service, Clop is expected to amass $75 to $100 million from the attack.
As for NSC’s victim status, Huang said higher education institutions are susceptible to hackers.
“There are several causes that make American educational institutions more vulnerable targets … our educational institutions often have the information of a large number of individuals, students, staff and faculty members which makes them a target,” Huang said. “It could also be because many higher education institutions conduct cutting edge research which is highly sought after.”
Between 2020 and 2021, cyberattacks targeting the education sector increased by over 75%, according to Upguard.
Although Clop obtained only students’ names during the attack, Huang advised all members of the DePaul community to stay vigilant by regularly checking their credit reports and bank accounts for any signs of identity theft.
“Particularly in this case, students and any individuals affected should at least issue credit alerts to the major credit reporting organizations … and monitor their financial accounts and credit reports for any suspicious activity,” Huang said.
DePaul’s Director of Information Security, Michael Rodriguez, stated that the breach had such a small impact on DePaul that the information security department debated whether or not to inform students about it.
“Names by themselves are of little to no risk,” Rodriguez said. “I mean, there’s nothing, not much you can do with somebody’s name, quite frankly, that’s just generally public information.”
However, safeguarding student account information remains the top priority in the university’s information service operations. Rodriguez explained that the university introduced BlueKey Multifactor Authentication in Sept. 2022, which requires students, faculty and staff to use their cell phones for identity verification to prevent hackers from accessing their accounts.
“It’s kind of like the whole canary in the coalmine kind of deal because if your phone all of a sudden start saying, ‘hey, you authenticate me,’ you know, likely your account has been compromised,” Rodriguez said. “We taught people that multifactor is the way to protect your account, whether it’s at the institution or in your personal life, just use multifactor and demand multifactor where you can.”
Still, students like DePaul junior Anna Gerstenberger see the university’s slow response to the data breach as a sign of institutional failure.
The data breach in MOVEIT software occurred May 27 and was disclosed by Progress Software Corporation May 31. NSC notified colleges affected by the security breach on Aug. 14. DePaul informed its students about the incident on Aug. 23.
“Sensitive and embarrassing as it may have been from the university’s perspective, the best they could have done by their students would have been to take direct and immediate action by alerting everyone affected and providing a list of things to watch out for in the event of a cyberattack/identity theft of any sort,” Gerstenberger said.
Despite the university’s delayed response to the attack, Gerstenberger believes the leak should serve as a wake-up call for DePaul to prioritize student safety.
“DePaul should definitely use this data breach as a learning moment and a commitment to upping the security standard that they provide students,” Gerstenberger said.
Questions and additional information concerning the data breach and potential leaked information can be found at studentclearinghouse.org.
Editor’s Note: This story has been corrected to note that the NSC confirmed data was part of the breach on Aug. 14, and the university sent the notification out to students the next week.