What Happened?
Multiple third and fourth-party vendors for University of Idaho services were breached as a result of an exploited vulnerability in the "MOVEit" software used to transfer data between vendors. Attackers compromised this software prior to the software developer making patches available.
TIAA / PBI Breach
We received information on July 13, 2023, that Pension Benefit Information, LLC (PBI), a sub-contractor of retirement vendor TIAA, was a victim of the MOVEit vulnerability that affected numerous vendors. For the university this included a subset of current and former employees and retirees. Disclosed information includes name, address, gender, date of birth, and Social Security Number. Affected persons will be notified directly by PBI/TIAA and offered 2 years of credit monitoring via Kroll. No university accounts or systems were involved in the breach.
Vendor notice: PBI Sample Notification Letter
Persons affected: 1438
Credit Monitoring offered: 2 years from Kroll
URL: https://enroll.krollmonitoring.com
Communication via postal mail sent late July, 2023.
United Health Breach
We received information on July 17, 2023 that United Health, a provider of Student Health Insurance suffered a breach as a result of the MOVEit vulnerability. For the university, this affects 341 students and data compromised may include name, date of birth, address, phone number, email address, health claims, prescriptions, diagnosis, and provider information. No university systems or accounts were involved in the breach. Social Security Number was NOT included in any breached data.
Vendor notice: NA
Persons affected: 341
Credit Monitoring offered: 2 years from Lifelock®
URL: https://lifelock.com
Communication via mail and email sent between July 24 and July 31
National Student Clearinghouse Breach
We received information from the National Student Clearinghouse (NSC) on June 28, 2023 that some student data shared with the National Student Clearinghouse may have been breached as a result of the MOVEit vulnerability. The affected data could include name, date of birth, student ID, and academic transcripts. No persons associated with U of I had their SSN exposed in this breach.
Vendor notice: https://alert.studentclearinghouse.org/
Persons affected: 7
Persons affected (name only): 13,421
Credit Monitoring offered: 2 years from Kroll
URL: https://enroll.krollmonitoring.com
Communication via postal mail expected at a date TBD (after 8/22/23)
We are following the situation with our vendors and will update this page as they provide more information.
Recommendations
- Read any notices you receive carefully to be sure they are legitimate, and what data is affected. If you are unsure if the letter is legitimate, search for the company online and call their customer service line to verify.
- If the vendor offers credit monitoring, take advantage of the offer. Credit monitoring is an important tool to safeguard your identity.
This is also a good reminder of the importance of cybersecurity. You can protect yourself and others by taking the following steps:
- Monitor your credit report for suspicious changes. You can use a third party service for this, or this may be available at no cost through your financial institution.
- Protect all your online accounts by enabling Mult-Factor Authentication (MFA) when available.
- Be suspicious of requests for personal data, and report suspicious or phish messages to OIT, or your email provider.
- If your identity is stolen, use the resources available.
References:
Idaho SBOE notice
What do I do if my identity is stolen?
Millions affected by MOVEit mass hacks
Breaches reported to Idaho Attorney General