The National Student Clearinghouse suffered a data breach

The National Student Clearinghouse, one of the United States’ most prominent nonprofit academic organisations, admitted that it sustained a cybersecurity incident. In their notification letter to the Office of the California Attorney General, the NSC stated they suffered a data breach after the attackers infiltrated their MOVEit managed file transfer (MFT) server on May 30, 2023, and stole troves of data.

The institution claimed it discovered the incident after its third-party software provider, Progress Software, notified them about an issue concerning the MOVEit Transfer solution earlier this year. NSC immediately deployed an investigation team and told relevant law enforcement agencies after being aware of the report.

 

The National Student Clearinghouse hackers harvested PIIs from nearly 900 schools.

 

Investigations have shown that the attackers compromised personally identifiable information (PII), such as names, birthdates, contact details, Social Security numbers, student ID numbers, and certain school-related records like enrollment, degree, and course-level data owned by various individuals.

NSC is pivotal for educational reporting, data exchange, verification, and research, serving approximately 22,000 high schools and over 3,600 colleges and universities. It boasts an enrollment percentage of around 97% of students in public and private institutions.

Unfortunately, this is not the first time NSC suffered such an incident. Last month, they disclosed a breach to the Office of Maine’s attorney general, affecting about 51,000 individuals.

The Clop ransomware gang is the alleged culprit of these attacks since they have widely exploited the zero-day security vulnerability in the MOVEit Transfer secure file transfer platform. The fallout from these attacks has impacted numerous organisations worldwide, with some already notifying their customers over the past four months.

Despite the broad scope of potential victims, the researchers believe that only a limited number of affected organisations will likely yield to Clop’s ransom demands. Nevertheless, due to their excessive demands, the Cl0p ransomware group could earn around $75-100 million in ransom payments.

Recent reports revealed that multiple US federal agencies and a couple of US Department of Energy (DOE) entities have fallen victim to these data theft and extortion attacks. Therefore, even private organisations should not be complacent about their cybersecurity defences since the Cl0p ransomware group is still looming and will likely reveal more details about their victims.