To all Vermont State Colleges Students, Faculty, and Staff:
As you may have heard, a significant number of organizations around the world have been affected by a cybersecurity event related to the MOVEit software utility, used by our partners National Student Clearinghouse (NSC) and TIAA.
While the Vermont State Colleges (VSC) does not host MOVEit, NSC and TIAA do. We have been notified that Personally Identifiable Information (PII) may have been exposed due to the MOVEit software breach.
The VSC IT department is actively monitoring the situation in partnership with the affected service providers to determine the extent of potential exposure. More information and guidance will be provided as the situation develops. Summarized below is the information we have received to date.
National Student Clearinghouse (NSC)
- NSC provides educational reporting, data exchange, verification, and research services to many higher education institutions. The VSC shares student data and information with NSC.
- NSC has confirmed some students within the VSC were included in the exposure. Please note: NSC will contact you directly if your data is at risk.
- NSC has posted information about this incident on a status page on their website: https://alert.studentclearinghouse.org/. General information about NSC’s published data privacy and security practices can be found on the NSC website as well: https://www.studentclearinghouse.org/about/our-privacy-commitment/.
TIAA (The Teachers Insurance and Annuity Association)
TIAA is a financial organization that provides investment and insurance services for those working for organizations in the nonprofit industry in academic, research, medical, government, and cultural fields. The VSC shares employee information with TIAA for participation in our retirement plans.
According to TIAA, a vendor they contract with, Pension Benefit Information, LLC (PBI) uses MOVEit software as part of their death claim and beneficiary processes. Please note: PBI has or will contact you directly by mail offering free credit monitoring for two years at no cost to you, if your data was impacted.
What can you do to protect your personal information?
We recommend following the TIAA guidance, to ensure your data is protected. Employees were sent a document with best practices outlined by TIAA.
What does the VSC do to protect your personal information?
While this incident did not occur on any of our internal systems, we wanted to take the opportunity to remind you about some of our VSC security efforts. Your data is important, and VSC IT and the VSC Cybersecurity Team work diligently to protect it. Below are some of the steps taken to ensuring your data is safe:
- Vendor reviews and security vetting. When onboarding new vendor partners, the VSC Cybersecurity Team does an initial review of the product(s) and service(s) offered by each vendor, taking into consideration how your data is stored, what data is shared, who your data is shared with, and whether the vendor has experienced past breaches.
- Multi-factor Authentication (MFA). In recent months, all VSC users are required to use the DUO MFA utility to verify all Single-Sign-On (SSO) access to VSC services.
- Endpoint Detection and Response (EDR). The VSC has recently partnered with SentinelOne to deploy their EDR product to monitor all VSC-owned devices for malicious software and threats to our endpoint devices.
- Administrative and elevated privileges policies. The VSC IT department grants elevated/administrative privileges to users on an as-needed basis, reducing the risk of administrative account compromise. These accounts are reviewed annually by the VSC Cybersecurity Team and corresponding departments to ensure all users with administrative access are active users in need of elevated privileges.
- Phishing education and training. The VSC Cybersecurity department administers phishing tests to all VSC faculty and staff semesterly, with included training modules to continuously educate users on the importance of secure email usage. The VSC will never ask for your personal information via email or text message.