Notice of third-party data breach affecting CCBC vendors
Aug 13, 2023As recently reported in national news media, a significant number of organizations around the world have been affected by a cybersecurity event involving a software utility called MOVEit.
CCBC does not utilize MOVEit software, and no systems operated or maintained by CCBC were breached.
However, two third-party entities with which CCBC interacts, specifically, National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association (TIAA), have notified CCBC that certain information which CCBC shares with them concerning students and/or employees has been exposed due to the use of MOVEit software by these entities and their partners. We are providing this information to our CCBC community so that everyone in our community can take steps to protect their personal information.National Student Clearinghouse (NSC) – Notice of Exposure of Certain Current and Former Student Information
NSC is a nonprofit that provides educational reporting, data exchange, verification, and research services to many higher education institutions. NSC works with thousands of colleges and universities, including CCBC, to gather student data required by the U.S. Department of Education. As part of this process, CCBC shares student enrollment and financial aid information with NSC, through a restricted portal. NSC utilizes MOVEit software and has notified CCBC that certain student information submitted through its portal was exposed through the MOVEit data breach. NSC has posted information about this incident to its website, including answers to questions at: https://alert.studentclearinghouse.org/.
On August 8, 2023, NSC advised CCBC that personal identifying information (PII) relating to some existing and former students was exposed in the MOVEit data breach. NSC is preparing to send notices to the affected students. NSC has not yet informed CCBC of the names of impacted students. If you receive a notice from NSC, please read it carefully and follow the steps outlined therein to protect yourself from the unauthorized use of your personal information. NSC is also offering identity protection monitoring to the affected students free of charge.
The Teachers Insurance and Annuity Association (TIAA) - Notice of Exposure of Certain Current and Former Employee Information
The Teachers Insurance and Annuity Association (TIAA) is a financial organization that acts as a fund sponsor for one of CCBC’s 403(b) defined contribution plans. TIAA has advised CCBC that personal identifying information (PII) of certain participants in that plan was exposed in the MOVEit data breach. TIAA’s third-party vendor, Pension Benefit Information, LLC (PBI), which uses MOVEit Software in providing services to TIAA, was the actual party directly impacted by the data breach.
TIAA has notified CCBC that PII of 268 current and former employees of CCBC is believed to have been exposed during the PBI/MOVEit data breach. It is anticipated that PBI will send notices on behalf of TIAA to the affected persons. If you receive a notice from PBI or TIAA, please read it carefully and follow the steps outlined therein to protect yourself from unauthorized use of your personal information.
TIAA has advised CCBC that it is monitoring participant accounts for unusual activity and, to date, has not identified any improper activity in accounts of CCBC participants as a result of the MOVEit breach. For additional information on safeguarding your account and staying updated, please visit the TIAA Security Center or contact TIAA directly at 800-842-2252 or via email at firstname.lastname@example.org.
Other Third-Party Servicers Reportedly Impacted by the MOVEit Data Breach
In addition to NSC and TIAA, three other third-party entities which provide or administer retirement plans and investment options to CCBC employees reportedly have been impacted by the MOVEit data breach, including Fidelity Investments, T. Rowe Price Retirement Plan Services and Corebridge Financial. See online reports at:
CCBC has not received direct notice from these entities whether the MOVEit data breach impacted exposed information concerning CCBC employees. CCBC is contacting these entities for further information and will provide an update if we obtain information from them regarding the impact of this data breach on CCBC employees.
What You Can Do To Help Protect Your Personal Information
Even if you do not receive a letter from NSC or TIAA, we recommend that you take the following actions to protect your personal information:
1. Be vigilant: Cybercriminals can leverage stolen personal information to craft convincing phishing attacks in the coming weeks and months. An email, notice, or text message containing accurate information about you or one of your accounts is not enough to verify authenticity. Verify the source of a message before responding. Phone calls may also be used to obtain personal or financial information. Do not open emails or text messages from unknown email addresses or phone numbers and do not click on links in emails or texts that you are not expecting.
2. Monitor your financial accounts and credit: It is always wise to monitor your credit report for unusual activity. Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax. Experian, and TransUnion. To order a free credit report. visit www.annualcreditreport.com or call toll-free, 1-877-322-8228. If you receive notice that your personal information has been exposed, consider putting a credit freeze in place to frustrate would-be scammers.
3. Consider using a credit monitoring service: If sensitive information has been exposed, credit monitoring is an important tool to safeguard your identity. And it is often provided to you at no cost in response to a potential compromise.
4. Update and protect your passwords and use multi-factor authentication (MFA). Unique recently updated passwords, together with the use of MFA are important defenses against cybercriminals in a digital world. Never give someone your password or a two-factor code if asked for it, even if they claim to be from a trusted organization.
CCBC takes data privacy and information security very seriously and this matter is of utmost and vital importance to the CCBC community. CCBC’s Information Technology department continues to monitor and seek information regarding the extent of the impact of the MOVEit breach on students and employees.
For questions concerning this notice, please contact Information-Safety@ccbcmd.edu.