Dickinson State University (DSU) has recently been notified by the National Student
Clearinghouse (NSC) of a data breach involving personal student data that the Clearinghouse
maintains on behalf of more than 3,600 US higher education institutions. According
to NSC, an unauthorized third party obtained certain files, which may include DSU
student data files, transferred by NSC through the MOVEit Transfer tool, a file transfer
Upon learning of this vulnerability, NSC launched an investigation and took steps to secure its systems. Consequently, the investigation is expected to be extensive and may require a significant amount of time before its completion.
This incident took place within NSC’s system. No data stored, operated, or maintained by Dickinson State University were breached.
At this time, NSC has provided no further details or specific information about the data that were affected. NSC has informed us that it is working with a third-party vendor to review affected files and identify individuals whose personal information appears in the files. Once the review is complete, NSC has indicated it will provide us with a list of affected individuals. At that time, we will work with NSC who will notify any individuals impacted.
The NSC has provided the following link for individuals to monitor the incident: http://alert.studentclearinghouse.org/
What is the National Student Clearinghouse?
The NSC is a non-profit organization founded in 1993 to provide educational reporting, research, and data services for more than 3,600 colleges and universities.
According to NSC, software provider Progress Software recently announced a security vulnerability related to its MOVEit Transfer product, potentially affecting thousands of organizations worldwide. According to Progress software, an unauthorized party discovered the vulnerability in the MOVEit Transfer software, which could allow unauthorized access to files being transferred using the tool.
Based on NSC’s ongoing investigation, they have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that is maintained on behalf of some of its customers. NSC has indicated there is no evidence to suggest that the unauthorized party specifically targeted the Clearinghouse or DSU.
Is DSU’s data system safe?
Yes. While it is impossible to guarantee 100% cybersecurity, this incident took place within NSC’s system and not within DSU’s systems. At present, DSU’s internal student and alumni data systems have not been impacted by this cybersecurity incident.
What information was contained in the files?
At this time, we do not know the extent of the data that was compromised. DSU, along with most public and private colleges and universities across the country, provides student data to NSC.
Does this incident involve the records of any alumni?
DSU’s internal alumni data systems were not affected by this incident. However, since we have no information about the specific files and data that were impacted, we do not yet know if data of students who have now graduated were involved.
Does this incident involve employee records?
DSU’s internal employee data systems were not affected by this incident. However, the underlying security issue with the MOVEIt Transfer tool has impacted many corporations, government agencies, and organizations worldwide. It is possible that an individual may receive notification of a security issue from a different organization.
How has DSU responded to this incident?
DSU takes student data privacy very seriously. Campus leaders are in active communication with the National Student Clearinghouse to receive updates and coordinate information.
How soon will I know if my data was compromised?
NSC notified us that it is working with a third-party vendor to review affected files and expects that review to be completed within the next few weeks. After that, NSC will begin providing its campus contacts with more information on individuals affected. We will work with NSC to ensure affected individuals are promptly notified.
What can I do to protect my personal data?
Here are some general guidelines to follow:
- Keep mobile devices and apps updated
- Don’t click random links or visit unknown websites
- Delete or report suspicious emails to avoid granting access to accounts
- Update and secure all home devices connected to the internet
- Use strong passwords and two-factor authentication and confirm privacy settings
- Practice safe social media use; be careful not to post personal/sensitive information
- Avoid free Wi-Fi networks to prevent compromising sensitive information
- Secure home Wi-Fi networks and digital devices by changing the factory password
- Optimize operating system, browser, and security software by installing recommended updates