[Wsssc] SYSTEM MEMORANDUM: National Student Clearinghouse (NSC) data breach guidance

Lauren Hibbs lhibbs at sbctc.edu
Mon Jul 24 07:44:26 PDT 2023 

Happy Monday, WSSSC,
I was out on vacation late last week but want to ensure the below memorandum made it to you on the NSC data breach.
– Lauren Hibbs

SBCTC-ITD Memorandum

Good afternoon, Presidents,  Information Technology Commission, Washington State Student Services Commission, Admissions & Registration Council, Business Affairs Commission, Public Information Commission, and SBCTC staff:

I am reaching out about a recent data security event involving the MOVEit file transfer tool, a third-party tool the National Student Clearinghouse (NSC) uses to transfer data<https://alert.studentclearinghouse.org/>. The vast majority of higher education institutions around the country transfer data through the NSC for financial aid compliance purposes, including all 34 Washington community and technical colleges. Not all colleges will be affected by the data breach, though. Those colleges affected by the data breach should have already received a notification from NSC.

It is important to note that ctcLink was not breached, as this incident is localized to the NSC and MOVEit systems. SBCTC is actively monitoring the situation and will share any additional information we receive, including the possibility that the breach may have also affected the Teachers Insurance and Annuity Association, TIAA.

If your college has been notified it was impacted by the NSC data breach, please complete this MOVEit Data Breach Tracking Form<https://docs.google.com/spreadsheets/d/1g0_cjQ7R9l0OZGasBtBXwxffGhiGVq4K/edit?usp=sharing&ouid=105604305915719460028&rtpof=true&sd=true> so SBCTC can gauge the scope of the incident. We also recommend colleges:


  *   Initiate a comprehensive IT report to determine the extent of the compromise. Attached is a blank IT incident report template, along with other relevant documents which may assist you in this task.


  *   Engage with legal counsel—in most cases, the Attorney General's office—to address any legal implications arising from this breach. Your AG is best equipped to provide guidance tailored to the unique context of your institution.


  *   In collaboration with legal counsel, explore the possibility of requesting the NSC provide credit checks for all affected parties for the next five years.


  *   In collaboration with legal counsel, consider obtaining an official letter from the National Student Clearing House concerning the breach.


  *   Remain vigilant and proactive in these coming weeks and months. If the breached information is sold on the dark web, it could lead to an increase in fraudulent activities, including a surge in fraudulent school applications.


Below are sample messages from colleges in other states. When you do send out an announcement, it’s advisable to prepare for an influx of calls from current and former students who may have been notified of the breach by NSC. As you will see in the Southern Utah University example, some colleges are directing students to a generic support form on NSC’s website<https://nscsso.my.site.com/student/s/contactsupport>, however, we cannot verify whether this is an appropriate or effective way for people to contact NSC.


  *   WSU Insider<https://news.wsu.edu/news/2023/07/11/third-party-data-breach-impacts-wsu-community-members/>
  *   Worcester State University<https://news.worcester.edu/important-notice-national-student-clearinghouse-student-data-breach/>
  *   Butler Community College<https://www.butlercc.edu/news/article/706/update-on-national-student-clearinghouse>
  *   Southern Utah University<https://www.suu.edu/news/2023/06/nsc-data-breach.html>

If you have questions, please contact Kenn Nied, SBCTC Network Services and Information Security, at knied at sbctc.edu<mailto:knied at sbctc.edu> or call 360-704-4304. Please do not hesitate to reach out if there's anything more we can do to assist you. We want to extend our support wherever possible.

Please feel free to share this information with relevant staff at your college.

Thank you,
-Grant

[Compass]Grant Rodeheaver
Deputy Executive Director / CIO, IT Division
Washington State Board for Community and Technical Colleges
grodeheaver at sbctc.edu<mailto:grodeheaver at sbctc.edu> • o: 360-704-3939  • c: 360-280-4733
sbctc.edu<https://www.sbctc.edu/> • Twitter: @SBCTCWashington<https://twitter.com/SBCTCWashington> • Facebook: @WASBCTC<https://www.facebook.com/wasbctc/>

________________________________
Please DO NOT REPLY to SBCTC-IT Mail regarding this e-mail.  SBCTC-IT Mail is an unmonitored mailbox, and your message will not be received.

Message Received Only Once When Sent to Multiple Mail Lists: A message sent to multiple lists is received only once by members using Microsoft Exchange Server and MS-Outlook. For example, if a systemwide message is sent to 30 lists, and you are a member of 10 of those lists, you will receive the message only once rather than 10 times. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ctc.edu/pipermail/wsssc_lists.ctc.edu/attachments/20230724/9c6177a5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 2279 bytes
Desc: image003.jpg
URL: <http://lists.ctc.edu/pipermail/wsssc_lists.ctc.edu/attachments/20230724/9c6177a5/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 2574 bytes
Desc: image002.jpg
URL: <http://lists.ctc.edu/pipermail/wsssc_lists.ctc.edu/attachments/20230724/9c6177a5/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Incident Response Plan draft -1.2r1.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 190193 bytes
Desc: Incident Response Plan draft -1.2r1.docx
URL: <http://lists.ctc.edu/pipermail/wsssc_lists.ctc.edu/attachments/20230724/9c6177a5/attachment-0003.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Incident response report - blank.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 16755 bytes
Desc: Incident response report - blank.docx
URL: <http://lists.ctc.edu/pipermail/wsssc_lists.ctc.edu/attachments/20230724/9c6177a5/attachment-0004.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Security Incident Detection, Handling, and Analysis Guide - What to do When.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 16945 bytes
Desc: Security Incident Detection, Handling, and Analysis Guide - What to do When.docx
URL: <http://lists.ctc.edu/pipermail/wsssc_lists.ctc.edu/attachments/20230724/9c6177a5/attachment-0005.docx>
-------------- next part --------------
_______________________________________________
REGISTRAR mailing list
REGISTRAR at lists.ctc.edu
http://lists.ctc.edu/mailman/listinfo/registrar_lists.ctc.edu

More information about the wsssc mailing list