In June, Drake University was alerted that its students and staff may have been affected by a data breach involving two of its service providers.
The National Student Clearinghouse and the Teachers Insurance and Annuity Association discovered a vulnerability in the MOVEit Transfer software that was confirmed to have been breached by an unknown party.
“[The reason] it has taken so long for information to be shared is because Drake was a customer of a company whose vendor was breached,” said Keren Fiorenza, Drake University’s chief information technology officer. “Information had to go through multiple layers of review and approval before it was shared to impacted schools.”
According to security alerts issued by both NSC and TIAA, this breach has affected at least 1,000 different schools nationwide. Anyone directly affected likely used one of the two service providers in the last few months to order an academic transcript.
Personal information, including the names, dates of birth and academic transcripts of current and former students, may have been breached. All students and alumni affected will be notified directly via postal mail.
NSC believes no more than five current or former Drake students were affected by the breach. However, TIAA estimates closer to 640 current or former Drake students were affected on their end.
“There is no evidence that the unauthorized party was able to obtain any other sensitive information, such as social security numbers or addresses from our student database,” said Cameron Wright, a media representative for NSC.
Wright said the investigation is still on-going and that Drake is in contact with law enforcement as well as having hired a third party investigator.
“We have since applied security updates to our software as well as are monitoring our systems continuously so this doesn’t happen again,” Wright said.
Wright said the issue is now contained and that customers can continue to use the system safely.
“We have rebuilt Clearinghouse’s entire MOVEit environment. All our customer data is being moved to a newly built, secure system,” Wright said. “It is our top priority to provide a dependable, trustworthy service to our customers.”
In another alert, TIAA indicated that another one of its vendors, Pension Benefit Information LLC, may have also been impacted by the breach. Affected individuals will be notified directly by Pension Benefit and are being offered free credit monitoring for two years.
“It will take time for law enforcement and other cybersecurity experts to know the full extent of who all for sure was affected and what all information was taken,” Fiorenza said. “Drake is working closely with every organization involved to get the full scale of its impact on our community.”
Fiorenza said that as soon as Drake was made aware of the incident, they took immediate action to lock and secure their system. Drake confirmed that only the third party providers — not the University itself — were breached.
“Data privacy and security is a top priority for Drake University. We are committed to getting as accurate information as possible before sharing,” Fiorenza said. “Unfortunately, digital forensics is a tedious process and can take months to complete, which delays how fast we can get information about the event out.”
In the meantime, Fiorenza recommends all Drake students regularly monitor their credit scores and online accounts, use multi-factor authentication when it’s available and not open or respond to suspicious emails, phone calls or text messages.
Anyone who believes they have been breached or discovers suspicious activity online should report it to Drake ITS and Public Safety immediately.
Further information regarding the breach is continuously being updated online.