iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The MOVEit file transfer hack is still racking up victims, as a non-profit educational organisation discloses the scale of data exposed by the vulnerability.
According to a report made to the Office of the Maine Attorney General, the National Student Clearinghouse – which provides administrative services to a raft of colleges and universities in the United States – first noted that its data may have been affected in late June 2023, and that the initial compromise occurred almost a month earlier in May.
Finally, at the end of August, the National Student Clearinghouse began notifying affected customers and organisations of the incident.
The report to the Maine attorney general notes that over 51,000 individuals were affected, but a second filing with the attorney general of California lists nearly 900 affected colleges and universities.
At the moment, the National Student Clearinghouse is still investigating the scope of the data affected. So far, the non-profit believes that no enrolment details were a part of the breached data but has told the Maine attorney general that Social Security Number may be.
However, the National Student Clearinghouse’s own letter, sent to affected students, says enrolment details may be impacted.
“The relevant files obtained by the unauthorised third party included personal information such as name, date of birth, contact information, Social Security number, student ID number, and certain school-related records (for example, enrolment records, degree records, and course-level data),” the letter reads.
“The data that was affected by this issue varies by individual.”
In a notice on the organisation’s web page, the National Student Clearinghouse says that investigations are ongoing.
“We have initiated a review of the affected files with the assistance of a third-party provider and will follow up with additional information regarding the impact to affected organisations, including a list of individuals whose personal information is identified in the relevant files,” the site notice reads.
The MOVEit vulnerability was first disclosed on 31 May 2023, when the makers of the file transfer software first went public.
“Progress has discovered a vulnerability in MOVEit Transfer and MOVEit Cloud that could lead to escalated privileges and potential unauthorised access to the environment,” Progress said in a security update at the time. “If you are a MOVEit Transfer customer, it is extremely important that you take immediate action in order to help protect your environment.”
“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database,” a CVE advisory on the flaw read, “and execute SQL statements that alter or delete database elements”.
Since then, the number of organisations impacted has totalled more than 2,000 according to tracking by security firm Emsisoft. The number of individuals affected has now surpassed 57 million.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
