“MOVEit” Breach May Impact You; Take Steps to Protect Yourself and Your Data

July 7, 2023

UA students and employees may have been impacted by the large-scale “MOVEit” data breach earlier this year. No UA-owned or operated systems are known to be impacted, but some of our third-party vendors were. 

Why It Matters: Some vendors are still determining how their systems were affected. But because this breach is so large, we believe some students and employees will receive letters in the mail advising that information you shared with UA and our vendors may have been compromised, and we want you to know what to do if you receive such a notification.

UAA, UAF, and UAS have all been advised that the breach impacted the National Student Clearinghouse (NSC). NSC serves as a single point of contact for the secure collection and exchange of accurate, timely, and comprehensive enrollment, degree, and certificate records for 99% of colleges and universities in the United States. While NSC has not yet determined how the breach has impacted them, we want students to be aware, and to consider taking some of the actions outlined below to protect themselves and their information.

What To Do:

• Read the notification carefully to make sure it is legitimate, and understand what data was potentially compromised. Most notifications are sent in the mail and are addressed directly to the person impacted. If you’re unsure whether a letter you receive is legitimate, search for the company online, and call their customer service phone number to verify.

• Take advantage of any credit monitoring services they may provide, and initiate a credit freeze. If sensitive information has been exposed, credit monitoring is an important tool to safeguard your identity. And it is often provided to you at no cost in response to a potential compromise. See more on credit freezes below.
• Consider updating important passwords and turn on MFA (multi-factor authentication) where available. A password refresh can be time-consuming, but unique, recently updated passwords together with MFA are an important defense against bad actors in a digital world.

What Happened: “MOVEit” is a widely-used file transfer tool that allows users to share large files over the internet. In early May, a ransomware gang believed to be based in Russia exploited a vulnerability in MOVEit, and was able to gain access to a number of MOVEit systems.

• Multiple patches have been provided by the vendor, but it is not clear how many organizations may have been impacted.
• Impacted organizations include federal agencies like the Department of Health and Human Services (HHS), private corporations like Ernst and Young, and overseas entities like British Airways and the British Broadcasting Corporation.
• As of this week, cybersecurity researchers believe more than 17.5 million people worldwide have been affected by the breach.

The Bottom Line: Develop good cybersecurity habits. Hacks and ransomware attacks are becoming more and more common. In the digital age, the best thing you can do to protect yourself, your loved ones, and your data is to be proactive and take reasonable precautions:

1. Use unique, private passwords. If remembering passwords is a struggle, consider using a password manager to help you generate, recall, and secure your passwords.
2. Freeze your credit reports. All 3 of the major credit bureaus allow you to limit how and when your credit report is accessed, which means any attempts by bad actors to use your credit are stopped before they can start.

• When In Doubt, Find Out. See suspicious charges on your bank account or credit card? Call the customer service number on their website or back of your card right away to verify the activity. Receive a call or text message asking for financial or personal identifying information? Don’t give it out. Instead, determine which company is contacting you, and call their customer service number directly to verify. Most companies will never call you directly and ask for sensitive information.