活动摘要

The National Student Clearinghouse (the “Clearinghouse”) uses MOVEit Transfer, a tool 由软件供应商Progress software提供,以支持文件传输. A security vulnerability in MOVEitTransfer enabled unauthorized access to 文件 transferred 通过工具. 在得知这个漏洞后,Clearinghouse立即启动了 一项调查,以了解它对票据交换所和我们的客户的影响. 调查显示,未经授权的第三方获得了某些文件 transferred through the MOVEit software, including 文件 containing personal information 票据交换所代表我们的客户维护的信息. 受影响的文件包括 然后进行分析,确定其个人信息出现在其中的个体 the 文件 and the data providers who submitted that information to the Clearinghouse.
Please read this page carefully as it contains important information about what data 是否受到了影响,你需要做些什么.

事件详情


On May 31, 2023, third-party software provider Progress Software announced a security vulnerability related to its MOVEit Transfer software, potentially affecting thousands 世界范围内的组织. MOVEit Transfer是许多组织使用的软件工具, 包括信息交换中心,以支持文件的传输. 根据进展 Software, an unauthorized third party discovered a vulnerability in the MOVEit Transfer 允许未经授权访问通过该工具传输的文件的软件.

Upon learning of this vulnerability, the Clearinghouse promptly launched an investigation 并采取措施保护我们的相关系统. 我们向执法部门报告了这个问题 并与领先的网络安全专家合作,了解该问题的影响 我们的组织和我们的客户. 信息交换所迅速采取行动保护 我们的系统和我们的客户的数据通过应用相关的安全补丁和 following guidance from the Department of 首页land Security’s Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and other cybersecurity 专家. As a precautionary measure, we rebuilt the Clearinghouse’s entire MOVEit environment, and we have implemented additional monitoring measures to help us identifyany further 与问题相关的活动.

Based on the investigation, we determined that an unauthorized third party obtained certain 文件 transferred through the MOVEit Transfer software, including 文件 containing 信息交换所代表我们的客户维护的个人信息. 未授权方于2023年5月30日左右获得文件. 虽然票据交换所 began our internal investigation promptly after learning of the vulnerability on May 31, 2023, we did not learn until June 20, 2023 that certain 文件 had been accessed 由未经授权的一方. 从那时起,信息交换所一直在努力工作 to understand the nature and scope of 受影响的文件, and communicating with relevant pg电子app下载事件的数据提供者和我们正在采取的步骤,以回应 事件. 我们在协助下对受影响的文件进行了两阶段的审查 第三方供应商的. 在第一阶段,数据提供者的信息 出现在文件中被识别. 第二阶段涉及识别个人 谁的个人信息出现在文件中,确定了个人的类型 information in the 文件, and connecting such information to the data provider thatsubmitted 寄到票据交换所.

清算所 is provided pg电子app下载 with the names of the individuals associated with 我们的组织,其个人信息在受影响的文件中被识别出来. 这些人将根据他们的名字被识别出来,因为他们出现在受影响的地方 文件.

In some of 受影响的文件, personal information such as Social Security numbers, 学生身份证号码或出生日期出现了. 然而,在pg电子app下载确认的个人没有社会安全号码, 学生身份证号码,或出生日期从我们的组织出现在 受影响的文件. For the individuals identified, the types of affected personal information may include names, contact information, and educational information such as enrollment, degree, and course-level data (for example, from transcripts and PostsecondaryData Partnership 报告),尽管信息的类型因个人而异.

http://alert.studentclearinghouse.org/  

国家信息交换中心常见问题解答

An unauthorized third party discovered a security vulnerability in software provider Progress Software’s MOVEit Transfer tool, which allowed unauthorized access to 文件 通过工具传递. 未经授权的一方利用该漏洞 gain unauthorized access to theClearinghouse’s MOVEit environment and to obtain certain 文件, including 文件 containing personal information that the Clearinghouse maintains 我代表我们的客户.

Progress Software announced the security vulnerability on May 31, 2023, and the Clearinghouse promptly launched an investigation to understand the impact of the vulnerability on 我们的组织和我们的客户. 2023年6月20日,调查显示 an unauthorized third party obtained 文件 from the Clearinghouse’s MOVEit environment 2023年5月30日左右.

是的,信息交换所立即向执法部门报告了这一事件.

The 文件 obtained by the unauthorized third party included personal information that 票据交换所代表我们的客户进行维护. 个人信息是相关的 to current and former students of educational institutions and customers of education 金融组织. 对于可用列表中确定的个人,类型 of affected personal information may include names, contact information, and educational information such as enrollment, degree, and course-level data (for example, from transcripts 及高等教育数据伙伴关系报告). 个人信息的类型 文件中包含的内容是否因个人而异.
In some of 受影响的文件, personal information such as Social Security numbers, 学生身份证号码,或出生日期出现. 然而,个体 identified at pg电子app下载 did not have a Social Security number, student identification number, 或受影响文件中出现的组织的出生日期.

Upon learning of the vulnerability in the MOVEit Transfer software, the Clearinghouse 迅速展开调查,并采取措施确保相关系统的安全. 我们向执法部门报告了这个问题 and worked with leading cybersecurity 专家 了解问题对我们的组织和客户的影响.

Once we learned that certain 文件 were obtained 由未经授权的一方, the Clearinghouse 开始与第三方供应商合作,审查和分析相关文件. 这项审查包括两个阶段. 在第一阶段,供应商确定了 data providers whose information appeared in受影响的文件, enabling the Clearinghouse 通知受影响的数据提供者. 在第二阶段,供应商确定 the individuals whose personal information appeared in 受影响的文件,determined the types of personal information in the 文件, and connected such personal information 将数据提交给信息交换中心的数据提供者. 信息交换所提供 从受影响文件的评审和分析中获得的信息.

我们认为,根据我们采取的重大措施,这个问题得到了控制 进一步加强我们的系统及客户资料的保安. 清算所 applied the relevant security patches issued by Progress Software, and followed guidance from the Department of 首页land Security’s Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, Mandiant, Microsoft, and other cybersecurity 专家. 作为预防措施,我们建造了清算所的整个MOVEit 环境,使我们的客户数据进入一个崭新的、原始的状态 未经授权的第三方从未访问过的环境. 我们也有 implemented additional monitoring measures to help us identify any further activity 与这个问题相关.

清算所 has been communicating regularly with data providers about the MOVEit 转让事宜并提供相关调查的最新进展. 我们通知了数据 供应商在得知问题涉及他们可能拥有的某些信息后 提供给我们. 从那时起,我们继续与受影响的数据提供商进行沟通 about the ongoing review and analysis of 受影响的文件 and the support that the Clearinghouse正在向数据提供商提供服务.

在最近发给国家信息中心的信中,信息交换所表示我们将 向您提供对门户的访问权限以及在 门户.
Because no Social Security numbers, student identification numbers, or dates of birth 您的组织所提供的,是为在 门户网站,国家安全委员会将不会通知个人代表国家安全委员会. 因此,票据交换所 is not asking pg电子app下载 to take any action with respect to the individuals identified within 这个列表.