Indiana State University Statement: MOVEit Data Breach

Sycamores,

We are monitoring a nationwide data security breach that has implications at Indiana State University.

The widely used MOVEit Transfer file transfer software recently suffered a data security breach. Indiana State has been notified by multiple vendors that they were amongst the victims of this data breach. Our vendors have advised that they were using MOVEit Transfer in connection with personal information received from ISU and that certain personal and student information received from ISU has been subject to the MOVEit Transfer breach.

It is important to note this security breach did not occur on ISU’s systems. Rather, it occurred on MOVEit Transfer’s systems in connection with transfer of ISU personal information made by certain ISU vendors.

At this time, ISU has been notified by the National Student Clearinghouse (NSC), a third-party provider of student data reporting, and the Pension Benefit Information, LLC (PBI), a vendor of our employee benefit plan provider, TIAA, that they have been affected by the MOVEit Transfer data breach. If your information was exposed as part of this data breach, you will receive a notification of the breach along with additional information, likely from the applicable vendor. We will provide additional updates to you should any additional vendors notify us of exposure to this breach.

The National Student Clearinghouse (NSC) has advised ISU is one of the 3600 colleges and universities that works with NSC to gather student data as required by the U.S. Department of Education. NSC reports that an unauthorized party obtained certain files transferred within the Clearinghouse's MOVEit environment, including files containing personal information from the student record database on current and former ISU students.  NSC has advised it has eliminated the vulnerability and is working with a third-party vendor and leading cybersecurity experts to review the attack's impact on ISU. For more information, the NSC has set up this website – https://alert.studentclearinghouse.org/. If you have questions or concerns about your information, don't hesitate to contact NSC directly through NCS’s support form. 

Additionally, ISU has been notified by the Pension Benefit Information, LLC (PBI), a vendor our employee benefit plan provider TIAA that PBI has also been affected by the MOVEit data breach. PBI is used to identify benefit plan participants who might have passed away and to assist in implementing the plan beneficiary processes. As a result, certain ISU employee information may also have been accessed as a result of the MOVEit data breach.

PBI has informed ISU that the breach of their MOVEit environment exposed personal information of ISU affiliated individuals, including names, addresses, dates of birth, and Social Security numbers of ISU students and personnel. As a result, PBI is offering those impacted with two years of credit monitoring at no cost to the individual through Kroll, LLC, a cybersecurity consulting firm. Those affected will receive a letter by mail from PBI, including instructions and a unique code for free credit monitoring. The letter also will have a telephone number you may call to learn more or ask questions about the credit monitoring service.  In addition, PBI recommends placing a freeze on credit reports issued by credit reporting agencies. More information about that process can be found at https://www.usa.gov/credit-freeze.

Again, this was not a data breach of ISU's systems. At this time, the University is working to communicate with our vendors to learn the full extent of the breach, and the specific impact on ISU students and personnel is still under investigation. We want community members to know that ISU is committed to monitoring this situation and providing updates as they become available.