Summary of the Event
国家学生信息交换中心(简称“信息交换中心”)使用MOVEit Transfer工具
offered by software provider Progress Software, to support the transfer of files.
MOVEitTransfer中的安全漏洞允许对传输的文件进行未经授权的访问
through the tool. Upon learning of the vulnerability, the Clearinghouse promptly launched
an investigation to understand its impact on the Clearinghouse and our customers.
The investigation revealed that an unauthorized third party obtained certain files
通过本软件传输的,包括包含个人信息的文件
that the Clearinghouse maintains on behalf of our customers. The affected files were
then analyzed to determine the individuals whose personal information appeared in
文件和向信息交换中心提交这些信息的数据提供者.
请仔细阅读此页,因为它包含有关哪些数据的重要信息
was impacted and what you may need to do.
Details of Event
2023年5月31日,第三方软件提供商Progress software宣布了一项安全措施
该漏洞与MOVEit Transfer软件有关,可能影响数千人
of organizations worldwide. MOVEit Transfer is a software tool used by many organizations,
including the Clearinghouse, to support the transfer of files. According to Progress
软件,一个未经授权的第三方在MOVEit传输中发现了一个漏洞
software that could allow unauthorized access to files transferred through the tool.
在得知这个漏洞后,Clearinghouse立即展开了调查 and took steps to secure our relevant systems. We reported the issue to law enforcement 并与领先的网络安全专家合作,了解该问题的影响 on our organization and our customers. The Clearinghouse acted promptly to protect our systems and our customers’ data by applying the relevant security patches and 遵循国土安全部网络安全和基础设施部门的指导 安全局,联邦调查局,以及其他网络安全专家. 作为预防措施,我们重建了信息交换所的整个MOVEit环境, 我们已经实施了额外的监测措施,以帮助我们进一步识别 activity associated with the issue.
根据调查,我们认定是未经授权的第三方获取了 通过MOVEit Transfer软件传输的某些文件,包括包含 personal information that the Clearinghouse maintains on behalf of our customers. The unauthorized party obtained the files onor around May 30, 2023. Although the Clearinghouse 在5月得知这个漏洞后,我们立即开始了内部调查 直到2023年6月20日,我们才知道某些文件被访问了 by an unauthorized party. Since then, the Clearinghouse has been working diligently 了解受影响文件的性质和范围,并与相关部门沟通 十大赌博靠谱信誉网站事件的数据提供者和我们正在采取的步骤,以回应 incident. We initiated a two-phased review of the affected files with the assistance of a third-party vendor. During the first phase, the data providers whose information appeared in the files were identified. The second phase involved identifying the individuals whose personal information appeared in the files, determining the types of personal 文件中的信息,并将这些信息连接到提交的数据提供者 it to the Clearinghouse.
信息中心向国家信息中心提供了有关人员的姓名 our organization whose personal information was identified in the affected files. The individuals will be identified by their names as they appeared in the affected files.
在一些受影响的文件中,个人信息,如社会安全号码, studentidentification numbers, or dates of birth appeared. However, the individuals identified at 十大赌博靠谱信誉网站 did not have a Social Security number, student identification number, or date of birth from our organization appearing in the affected files. 对于已识别的个人,受影响的个人信息类型可能包括 names, contact information, and educational information such as enrollment, degree, 以及课程级别的数据(例如,来自成绩单和PostsecondaryData Partnership) reports), although the types of information vary by individual.
http://alert.studentclearinghouse.org/
National Clearinghouse Frequently Asked Questions
未经授权的第三方发现软件供应商存在安全漏洞 Progress Software的MOVEit传输工具,允许未经授权的访问文件 transferred through the tool. The unauthorized party exploited the vulnerability to 获得未经授权访问clearinghouse的MOVEit环境,并获得某些 文件,包括信息交换所维护的包含个人信息的文件 on behalf of our customers.
Progress Software在2023年5月31日宣布了安全漏洞,而Clearinghouse promptly launched an investigation to understand the impact of the vulnerability on our organization and our customers. On June 20, 2023, the investigation revealed that 未经授权的第三方从Clearinghouse的MOVEit环境中获取了文件 on or around May 30, 2023.
在一些受影响的文件中,个人信息,如社会安全号码, student identification numbers, or dates of birth appeared. However, the individuals 没有社会安全号码,学生身份证号, or date of birth from your organization appearing in the affected files.
在得知MOVEit Transfer软件的漏洞后,Clearinghouse promptly launched an investigation and took steps to secure our relevant systems. 我们向执法部门报告了这个问题,并与领先的网络安全专家合作 to understand the impact of the issue on our organization and our customers.
一旦我们得知某些文件被未经授权的机构获取,信息交换中心 began working with a third-party vendor to review and analyze the relevant files. This review involved two phases. During the first phase, the vendor identified the 数据提供者的信息出现在受影响的文件中,启用了Clearinghouse to notify impacted data providers. During the second phase, the vendor identified 在受影响的文件中出现个人信息的个人确定 文件中个人信息的类型,以及所连接的个人信息 to the data provider that submitted it to the Clearinghouse. The Clearinghouse provided information derived from the review and analysis of the affected files.
We believe the issue is contained based on the significant measures we have taken to further strengthen the security of our systems and our customers’ data. The Clearinghouse 使用Progress Software发布的相关安全补丁,并遵循指导 来自国土安全部网络安全和基础设施安全部门 机构、联邦调查局、Mandiant、微软和其他网络安全公司 experts. As a precautionary measure, were built the Clearinghouse’s entire MOVEit environment, so that our customers’ data is entering into a newly built, pristine environment that was never accessed by the unauthorized third party. We have also implemented additional monitoring measures to help us identify any further activity associated with this issue.
信息交换所一直在定期与数据提供商就MOVEit进行沟通 Transfer issue and providing updates on the related investigation. We notified data providers after learning that the issue involved certain information they may have provided to us. Since then, we have continued to communicate with impacted data providers 十大赌博靠谱信誉网站正在进行的对受影响文件的评审和分析,以及对受影响文件的支持 Clearinghouse is offering to data providers.
In a recent communication sent to 十大赌博靠谱信誉网站, the Clearinghouse indicated that we would
be providing you with access to a portal and the list of individuals available in
the portal.
因为没有社会安全号码,学生证号码,或出生日期
provided by your organization were identified for the individuals identified in the
portal, NSC will not notify individuals on 十大赌博靠谱信誉网站’s behalf. Therefore, the Clearinghouse
没有要求十大赌博靠谱信誉网站对其中的个人采取任何行动吗
this list.