National Student Clearinghouse

Notice on National Student Clearinghouse student data breach

Lake Region State College has recently been notified by the National Student Clearinghouse (NSC) of a data breach that involved personal student data that the Clearinghouse maintains on behalf of the vast majority of US higher education institutions. According to NSC, an unauthorized third party obtained certain files, including student data files, transferred by NSC through the MOVEit Transfer tool, a file transfer software product. Upon learning of this vulnerability, NSC launched an investigation and took steps to secure its systems. This incident took place within NSC’s system and not within the campus system. Lake Region State College internal data systems for student and alumni records are secure and have not been impacted by this cybersecurity incident.

At this time, NSC has provided no further details or specific information about the data that were affected. NSC has informed us that it is working with a third-party vendor to review affected files and identify individuals whose personal information appears in the files. Once the review is complete, NSC has indicated it will provide us with a list of affected individuals. At that time, we will work with NSC to notify any individuals impacted. The NSC has provided the following link for individuals to monitor the incident:

What is the National Student Clearinghouse?
The NSC is a non-profit organization founded in 1993 to provide educational reporting, research, and data services for more than 3,600 colleges and universities.

What happened?
According to NSC, software provider Progress Software recently announced a security vulnerability related to its MOVEit Transfer product, potentially affecting thousands of organizations worldwide. According to Progress software, an unauthorized party discovered the vulnerability in the MOVEit Transfer software, which could allow unauthorized access to files being transferred using the tool.
Based on NSC’s ongoing investigation, they have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that is maintained on behalf of some of its customers. NSC has indicated there is no evidence to suggest that the unauthorized party specifically targeted the Clearinghouse or Lake Region State College.

Is Lake Region State College’s data system safe?
Yes. While it is impossible to guarantee 100% cybersecurity, this incident took place within NSC’s system and not within Lake Region State College’s systems. At present, Lake Region State College’s internal student and alumni data systems have not been impacted by this cybersecurity incident.

What information was contained in the files?
At this time, we do not know the extent of the data that was compromised. LRSC, along with most public and private colleges and universities across the country, provides student data to NSC.

Does this incident involve the records of any alumni?
Lake Region State College’s internal alumni data systems were not affected by this incident. However, since we have no information about the specific files and data that were impacted, we do not yet know if data of students who have now graduated were involved.

Does this incident involve employee records?
Lake Region State College’s internal employee data systems were not affected by this incident. However, the underlying security issue with the MOVEIt Transfer tool has impacted many corporations, government agencies, and organizations worldwide. An individual may receive notification of a security issue from a different organization.

How has LRSC responded to this incident?
Lake Region State College takes student data privacy very seriously. Campus leaders are in active communication with the National Student Clearinghouse to receive updates and coordinate information. 

How soon will I know if my data was compromised?
NSC notified us that it is working with a third-party vendor to review affected files and expects that review to be completed within the next few weeks. After that, NSC will begin providing its campus contacts with more information on individuals affected. We will work with NSC to ensure affected individuals are promptly notified.

What can I do to protect my personal data?
Here are some general guidelines to follow:
•    Keep mobile devices and apps updated
•    Don’t click random links or visit unknown websites
•    Delete or report suspicious emails to avoid granting access to accounts
•    Update and secure all home devices connected to the internet
•    Use strong passwords and two-factor authentication and confirm privacy settings
•    Practice safe social media use; be careful not to post personal/sensitive information
•    Avoid free Wi-Fi networks to prevent compromising sensitive information
•    Secure home Wi-Fi networks and digital devices by changing the factory password
•    Optimize operating system, browser, and security software by installing recommended updates