Colorado State University (CSU) has confirmed that the Clop ransomware operation stole sensitive personal information from current and former students and employees in recent MOVEit Transfer data theft attacks.

Colorado State University is a public research university with nearly 28,000 students and 6,000 academic and administrative staff, operating with an endowment of $558,000,000.

The University informed its students and staff on July 12, 2023, that threat actors gained access to personal data of staff and students through these attacks.

Although the true extent and impact of the data breach is still being assessed, CSU provided the following statement on a dedicated cyber incident webpage.

“Certain data about prospective, current, and former CSU students and current and former employees maintained by relevant vendors contains personally identifiable information, which may include first name, middle initial, last name, date of birth, student or employee identification numbers, social security number information, and demographic information such as gender, ethnicity, level and field of education. CSU savvy.

The University says the stolen data dates back to 2021, possibly earlier, meaning graduates may have been affected.

The leak of this data is not the result of a direct breach of the systems operated or maintained by CSU, but rather a compromise of the University’s service providers, TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial , Sunlife and The Hartford.

All of these vendors used the MOVEit Transfer security file transfer platform, which was hacked in a wave of data theft attacks in May 2023.

CSU says the above entities provide services to many universities across the United States, so other educational institutions may soon post similar information.

From, Stony Brook UniversityTHE University of Delawareand the Western University of Health Sciences issued data breach notices regarding the compromise of TIAA, NSC and Corebridge Financial.

At this time, CSU is conducting an internal investigation with the assistance of forensic experts to determine which records and individuals were impacted by the incident and will send individual notification letters to those individuals containing additional resources and protective tips.

During this time, all members of the CSU community are urged to remain vigilant and report suspected cases of identity theft to the university and law enforcement authorities.

Currently, no Identity Theft Protection Service coverage is available to CSU members, who are advised to follow the FTC guidance posted here.

H/T: Brett Callow