MOVEit File Transfer Hack Exposes Loyola Data

The file transfer software MOVEit was hacked over the summer, exposing personal data from several of Loyola’s third-party organizations who utilize the software.

The group behind the hack was a Russian ransomware group known as CL0P, who attempted to ransom the stolen data following the breach, according to the Associated Press. The group employed what’s known as a zero-day exploit, a wide-ranging term for vulnerabilities which can be utilized in attacks before vendors are aware, according to a June 20 Loyola advisory notice.

MOVEit software’s developer, Progress Software, initially notified customers of the breach May 31 and described several steps to combat it, according to the Progress Software website.

Loyola’s first statement concerning the breach was the June 20 advisory notice notifying faculty and staff about the possibility of a data breach. Loyola doesn’t utilize MOVEit software for file transfers. but some of the third-party organizations the university partners with do use it. By June 20, none had reported a breach, according to the notice.

The next update came July 10 when two university partners, the National Student Clearinghouse and the Teachers Insurance Annuity Association notified Loyola of breaches and the possibility of some personal information the university shares with these organizations being exposed, according to the University Information Security Office blog.

Eric Chan-Tin is an associate professor in the department of computer science and lead of the Loyola Center for Cybersecurity. Chan-Tin has been researching to prevent these breaches from occurring.

“I’ve broken into well-known systems, and I tried to patch them,” Chan-Tin said. “You know, fix them so they’re not insecure anymore.”

National Student Clearinghouse provides student data exchange, verification and financial aid services to many universities, including Loyola, using student data including transcripts, addresses and contact information, according to the organization’s privacy policy. Loyola shares current and prospective student information with the national organization to receive their services, including social security numbers but not financial information, according to a July 10 statement from the university’s security office.

National Student Clearinghouse had reported no social security numbers or financial information from Loyola had been accessed while at least two people’s date of births were, according to an Aug. 10 statement. While others at Loyola were affected, only the breach of specific kinds of data warrants a notice because of the Illinois Personal Information Protection Act, according to the statement.

University spokesperson Matt McDermott declined to specify how many people at Loyola were affected by the breach, citing Illinois law, and elaborated on the university’s cybersecurity practices in an email statement to The Phoenix. 

“Information Technology Services and the University Information Security Office (UISO) are committed to safeguarding the confidentiality, integrity, and reliability of all University IT assets,” McDermott wrote. “While this breach affected third-party providers, and not the University directly, UISO was monitoring the MOVEit application vulnerability well in advance and sent an advisory notice to faculty and staff on June 20.”

While data breaches can’t be predicted, Chan-Tin said there are some precautions which can be taken to protect your data.

“Well, so, I mean, there’s the basic cybersecurity hygiene, you know, like batteries,” Chan-Tin said. “Be careful what you install. So if you don’t use, I don’t know, some software, just uninstall it because you never know when something could happen.”

The Teachers Insurance Annuity Association is a for-profit financial organization providing investment and insurance services to teachers and their families, according to Investopedia. The association itself also doesn’t employ MOVEit software but one of its third-party partners, Pension Benefit Information, LLC, does and was affected by the breach, according to the July statement.

Those with Teachers Insurance Annuity Association financial plans may have had social security numbers or other personal information accessed during the breach, according to the July statement. Pension Benefit Information was sending data breach notices to those affected by the hack on behalf of Teachers Insurance Annuity Association as of Aug. 10, according to the August statement.

Besides basic practices for safeguarding data like creating strong passwords, Chan-Tin said not much can be done to prevent these kinds of breaches.

“It’s not your fault,” Chan-Tin said. “I mean, you could uninstall Zoom, but that would make life pretty hard nowadays. Just apply patches as soon as they come out. Keep up to date.”

A third organization, United Healthcare Student Resources, informed Loyola they had been affected in the hack by Aug. 10, according to the August statement. They are a student insurance provider which offers Loyola students health insurance if they aren’t covered by another policy.

United Healthcare Student Resources let the university know some students’ data was affected by the MOVEit breach — possibly including student IDs, personally identifiable information or social security numbers — but didn’t inform Loyola exactly which students’ information or types of data were accessed, according to the August statement.

However, no drivers license or financial information was accessed and United Healthcare Student Resources reached out to those affected by the breach to notify them and offer two years of the standard Norton LifeLock plan.

This story was written by Meghan McGowan and Hunter Minné

Featured image by Hunter Minné