MOVEit Transfer Software Cyber Incident Information
August 2023
We are reaching out to you about the MOVEit Transfer software cyber incident that has impacted three organizations with whom institutions across the nation, including SUNY, work: the National Student Clearinghouse (NSC), TIAA, and Corebridge.
Each organization has contacted SUNY to alert us of the possibility that the personal information of our students, employees, and retirees may have been impacted. SUNY has been assured by NSC, TIAA, and Corebridge that their systems have been secured, and they are working with the FBI and global cyber security experts in an ongoing investigation to determine the impact of the cyber incident.
In the coming weeks we expect potentially impacted individuals will be contacted by one or more of these organizations. In the meantime, we recommend that you use your right to a free annual credit report from each of the major credit reporting companies Experian, Equifax or TransUnion.
For more information about this incident:
Federal Trade Commission, or review the FTC’s information on identity theft
National Student Clearinghouse MOVEit Security Issue
Corebridge
TIAA
Again, if you were potentially impacted by the MOVEit incident, you will be contacted by one or more of the organizations.
Frequently Asked Questions
What is the National Student Clearinghouse and why do campuses provide student information to this organization?
National Student Clearinghouse is a federally-sponsored organization used for sharing and tracking student education-related information for use in federally mandated reporting, as well as for research. It provides trend data and research evidence that many institutions of higher education utilize to improve the academic experience with services that ensure students maximize their academic opportunities and graduate on time. The National Student Clearinghouse helps education go further with innovative solutions that meet reporting, research, verification, transcript, and data exchange demands across the K-20 to workforce continuum. '
What does TIAA do for SUNY?
TIAA is a benefits company used by SUNY campuses on behalf of their employees.
What does Corebridge do for SUNY?
Corebridge (AIG) is an investment company used by SUNY on behalf of their employees.
What has the National Student Clearinghouse, TIAA CREF, and Corebridge said about the MOVEit data breach?
See the National Student Clearinghouse MOVEit Security Issue alert, the Corebridge Financial incident update, and TIAA for more information.
When was the data breach first discovered by the National Student Clearinghouse?
SUNY campuses learned in June that personal identifying information of students may have been compromised due to a global cyber incident. Information technology experts across SUNY launched an investigation to ensure the data breach did not extend to administration or campus systems.
When did TIAA and Corebridge notify SUNY for the MOVEit data breach?
TIAA notified SUNY of the MOVEit data breach on June 16 and then confirmed on June 29 that the breach affected SUNY retirement plan participants and retirees. Corebridge notified SUNY of the MOVEit data breach on June 27 and are still working on who has been affected on the SUNY retirement plans.
What specific types of personal data have been or may have been compromised?
Though not yet confirmed, based on how campuses utilize National Student Clearinghouse for the purposes of research, the compromised information may include name, date of birth, address, demographics, student identification number, financial account information, and social security numbers.
- National Student Clearinghouse (NSC): Potentially, name, date of birth, address, demographics, student identification number, financial account information, and social security numbers may be compromised.
- TIAA: Potentially, employee or retiree data including personal identifying information and social security numbers may be compromised.
- Corebridge: Potentially, employee or retiree data including personal identifying information and social security numbers may be compromised.
Has there been any known attempt to use any of the compromised data, or any demand for ransom or other action on the part of hackers?
There is no evidence of any attempted use of the compromised data, nor any demand for ransom that SUNY has been made aware of by the National Student Clearinghouse, TIAA, or Corebridge.
What, if any, protective services related to identity theft are being offered by the National Student Clearinghouse, TIAA, or Corebridge to students, employees, and retirees who have been or might have been compromised?
National Student Clearinghouse, TIAA, and Corebridge are responsible for the official notifications. They have also informed the New York State Attorney General, Consumer Affairs Bureau, and the New York State Police.
What steps, if any, should such students, employees, and retirees be taking on their own?
SUNY and its campuses recommend that you use your right to a free annual credit report from each of the major credit reporting companies Experian, Equifax or TransUnion.
You may also wish to consider contacting the Federal Trade Commission at the main FTC website or the FTC identity theft page.
In addition, here are links from the organizations where you can find additional information: