BOISE, Idaho — A worldwide data breach has compromised personally identifiable information about some students at several Idaho public colleges and universities, the Office of the Idaho State Board of Education (OSBE) said Friday.
The breach hit MOVEit Transfer software, a third-party vendor used by the National Student Clearinghouse (NSC) and Teachers Insurance Annuity Association of America (TIAA). A hacker apparently found a vulnerability in MOVEit Transfer, a tool the NSC and TIAA use to transfer files. The hacker was able to access and download some information belonging to those entities.
As of Friday morning, the NSC had notified the University of Idaho, Idaho State University, Boise State University, the College of Western Idaho, the College of Southern Idaho, North Idaho College and Lewis-Clark State College that the breach compromised some students' information. The NSC provides enrollment and degree data on students around the country to other entities that have a direct relationship with the students.
TIAA is one of two companies that administers the SBOE's optional retirement plans for institutional faculty and staff. TIAA notified the OSBE Thursday that some employees' personal information may have been compromised, including first and last names, addresses, birthdates and Social Security numbers.
The OSBE and the colleges are waiting for more information from the NSC and TIAA about the files that were compromised.
Because the breach involves a third-party vendor, the State Board said there is nothing students or college employees need to do to secure their institutions' accounts or data.
No systems managed by the OSBE or Idaho's public colleges or universities have been compromised, a spokesperson for the OSBE said in a news release.
The NSC said it has no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications. The Clearinghouse also said it has no evidence that the hacker was able to move beyond MOVEit Transfer to other environments where data is stored or transmitted, including the student record database.
Students are encouraged to monitor the NSC website regularly for further information.
TIAA said affected individuals will receive a letter by mail offering free credit monitoring for two years.
On its website, the NSC said it is coordinating with law enforcement, has applied three security patches to its systems, and has processes in place to keep its software and systems updated.
Depending on which information was lost or stolen, there are steps people can take to prevent potential identity theft. Details are available here.
The OSBE and the state's public higher education institutions are monitoring the situation "and will support NSC and TIAA's efforts regarding notification to impacted students as information becomes available," the OSBE stated in its news release.
Watch more Local News:
See the latest news from around the Treasure Valley and the Gem State in our YouTube playlist:
HERE ARE MORE WAYS TO GET NEWS FROM KTVB:
Download the KTVB News Mobile App
Apple iOS: Click here to download
Google Play: Click here to download
Stream Live for FREE on ROKU: Add the channel from the ROKU store or by searching 'KTVB'.
Stream Live for FREE on FIRE TV: Search ‘KTVB’ and click ‘Get’ to download.