National MOVEit Data Breach

How It Affects the Buffalo State Community

The MOVEit Transfer software cyber incident has affected institutions across the nation, including three organizations that Buffalo State University works with: the National Student Clearinghouse (NSC), TIAA CREF, and Corebridge. Each organization has contacted SUNY to alert it of the possibility that the personal information of students, employees, and retirees may have been affected.

No Buffalo State systems were breached during this incident. We are communicating this information about the MOVEit Transfer software cyber incident so everyone in the Buffalo State community is aware of it and can take necessary precautions.

SUNY has been assured by NSC, TIAA CREF, and Corebridge that their systems have been secured and that they are working with the FBI and global cyber security experts in an ongoing investigation to determine the impact of the cyber incident.

What's Next?

In the coming weeks, SUNY expects that potentially affected individuals will be contacted by one or more of these organizations.

In the meantime, we recommend that you use your right to a free annual credit report from each of the three major credit reporting companies: Equifax, Experian, and TransUnion.

You may also wish to consider contacting the Federal Trade Commission at ftc.gov or consumer.ftc.gov/features/identity-theft. In addition, here are links from two of the organizations where you can find additional information:

If you were potentially affected by the MOVEit incident, you will be contacted by one or more of the compromised organizations.

We will also update you directly once we have further information.

Data Privacy and Security

Data privacy and security are serious matters at Buffalo State University. Here are some tactics to protect yourself, given the information available at this time:

  1. Ensure that your accounts are secure and use multi-factor authentication whenever possible. It is also recommended that you use long passphrases for all your accounts. Never give someone your password, passphrase, or authentication code, even if they claim to be from a trusted organization.
     
  2. Be extra cautious and vigilant against phishing attacks in the coming weeks and months.

    Phishing scams can contain personal information that is sent via text message, email, or other mode of communication. Verify the source of the message before responding. Cybercriminals may leverage stolen personal information and send convincing emails, notices, or text messages containing accurate information about you or one of your accounts. The Buffalo State IT Help Desk recommends that if you have any doubt about the authenticity of an email, you should delete it.
     

  3. Monitor your financial accounts and credit. It is always wise to monitor your credit report for unusual activity. If you believe you are being targeted, consider putting in place a credit freeze.

What is the National Student Clearinghouse and why do campuses provide student information to this organization?
National Student Clearinghouse is a federally sponsored organization used for sharing and tracking student education-related information for use in federally mandated reporting, as well as for research. It provides trend data and research evidence that many institutions of higher education use to improve the academic experience with services that ensure that students maximize their academic opportunities and graduate on time.

What does TIAA CREF do for SUNY?
TIAA CREF is a benefits company used by SUNY campuses on behalf of their employees.

What does Corebridge do for SUNY?
Corebridge (AIG) is an investment company used by SUNY on behalf of their employees.

What have the National Student Clearinghouse, TIAA CREF, and Corebridge said about the MOVEit data breach?

Here are links from two of the organizations where you can find additional information:

When was the data breach first discovered by the National Student Clearinghouse?
SUNY campuses learned in June that personal identifying information of students may have been compromised in a global cyber incident. Information technology experts across SUNY launched an investigation to ensure that the data breach did not extend to administration or campus systems.

When did TIAA CREF and Corebridge notify SUNY of the MOVEit data breach?
TIAA CREF notified SUNY of the MOVEit data breach June 16 and then confirmed June 29 that the breach affected SUNY retirement plan participants and retirees.

Corebridge notified SUNY of the MOVEit data breach June 27 and is still working to determine who has been affected on the SUNY retirement plans.

Why are SUNY campuses only now reporting the data breach to students, employees, and retirees whose information might be compromised, and to what extent has that delay deepened the vulnerability to identity theft?
SUNY colleges and universities are notifying their broad campus communities and retirees now because personally identifying information may have been compromised and steps have been taken to protect their information. This situation is evolving. At this time, there is enough information to provide to students, employees, and retirees who may have been affected.

What specific types of personal data have been or may have been compromised?
Though not yet confirmed, based on how campuses use the National Student Clearinghouse for the purposes of research, the compromised information may include names, dates of birth, addresses, demographics, student identification numbers, financial account information, and Social Security numbers.

TIAA CREF: Potentially, employee or retiree data including personal identifying information and Social Security numbers may be compromised.

Corebridge: Potentially, employee or retiree data including personal identifying information and Social Security numbers may be compromised.

Has there been any known attempt to use any of the compromised data, or any demand for ransom or other action on the part of hackers?There is no evidence of any attempted use of the compromised data, nor any demand for ransom that SUNY has been made aware of by the National Student Clearinghouse, TIAA CREF, or Corebridge.

What, if any, protective services related to identity theft are being offered by the National Student Clearinghouse, TIAA CREF, or Corebridge to students, employees, and retirees who have been or might have been compromised?

National Student Clearinghouse, TIAA CREF, and Corebridge are responsible for the official notifications, and will send information to affected individuals. TIAA CREF’s vendor, PBI, is providing two years of credit monitoring at no cost to impacted individuals.

These agencies have also informed the Office of the New York State Attorney General and the New York State Police.

What steps, if any, should students, employees, and retirees be taking on their own?
SUNY and its campuses recommend that you use your right to a free annual credit report from each of the three major credit reporting companies: Equifax, Experian, and TransUnion.

You may also wish to consider contacting the Federal Trade Commission at ftc.gov or consumer.ftc.gov/features/identity-theft.

In addition, here are links from two of the organizations where you can find additional information: