MOVEit Transfer Data Breaches

The University of North Dakota (UND) and the North Dakota University System (NDUS) are monitoring two data breaches traced back to MOVEit Transfer, a file transfer software used by third-party contractors to securely transfer files from one system to another.

The University was recently notified by TIAA, a company that manages NDUS retirement funds, and National Student Clearinghouse (NSC), which manages degree verification and enrollment, that sensitive data may have been exposed during file transfers.

UND and TIAA (via PBI) have already notified the individuals impacted by the TIAA breach. NSC is expected to notify impacted individuals within the next several weeks.

Further information on the breaches can be found on the respective websites.

Frequently Asked Questions

What is the National Student Clearinghouse, and why do campuses provide student information to this organization?

The National Clearinghouse provides educational reporting, data exchange, and verification services to many colleges and universities nationwide. To allow NSC to provide these services, colleges and universities must provide NSC with students’ confidential information.

What does TIAA do for UND?

TIAA is a retirement benefits company NDUS uses on behalf of our employees.

When was UND first notified of the NSC data breach?

On June 16, 2023, NDUS campuses were informed that students' personal identifying information may have been compromised in a global cyber incident. On June 28, 2023, NSC confirmed the breach. UND does not have any information at this time on how many or who the impacted individuals are from the breach.

When was UND first notified of the TIAA data breach?

On June 16, 2023, a general notification was sent by TIAA to NDUS regarding a potential breach. On June 29, 2023, TIAA confirmed the breach. On July 14, 2023, letters were sent by PBI to the impacted parties. UND Human Resources also notified the impacted via email.

Why is UND only now reporting the data breach to students, employees, and retirees whose information might be compromised?

The information shared with us by the breached entities was limited due to ongoing forensic investigations. As a developing story, UND did not have enough information to share with the community or the impacted individuals.

What specific types of personal data have been or may have been compromised?

NSC: At this time, we do not know the extent of the data compromised.
TIAA: Potentially, employee or retiree data, including personal identifying information and social security numbers, may be compromised.

How soon will I know whether my data was compromised?

NSC: NSC notified us that it is working with a third-party vendor to review affected files and expects that review to be completed within the next few weeks. After that, NSC will begin providing its campus contact with more information on individuals affected. We will work with NSC to ensure that affected individuals are promptly notified.

Has there been any known attempt to use any compromised data or any demand for ransom or other action by the hackers?

TIAA or NSC has not notified us of evidence of any attempted use of the compromised data or any ransom demand.

What steps, if any, should such students, employees, and retirees take on their own?

UND highly recommends taking advantage of your right to obtain a free annual credit report from each major credit reporting company, namely Experian, Equifax, and TransUnion. In case of any concerns regarding identity theft, you may also wish to consider contacting the Federal Trade Commission through their website at https://www.ftc.gov/ or https://consumer.ftc.gov/features/identity-theft. These proactive measures can help safeguard your personal information and financial well-being.

Please note: UND Human Resources (HR), the Registrar’s Office, and University Information Technology (UIT) do not have additional information to share beyond what is provided above. All three entities are working diligently with NDUS, TIAA, and NSC to obtain additional information and clarification on the potential scope and impact of the breach.