Schools say US teachers’ retirement fund was targeted by MOVEit hackers
Two U.S. schools have confirmed that TIAA, a nonprofit organization that provides financial services for individuals in academic fields, has been caught up in the mass-hacks targeting MOVEit file transfer tools.
Middlebury College in Vermont and Trinity College in Connecticut both released security notices confirming they experienced data breaches as a result of a security incident at the Teachers Insurance and Annuity Association of America, or TIAA. According to its website, TIAA serves mire than five million active and retired employees participating at more than 15,000 institutions and manages $1.3 trillion in assets in more than 50 countries.
Both of the security notices confirm that TIAA was affected by hackers’ widespread exploitation of a flaw in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software.
In a statement given to TechCrunch, TIAA spokesperson Chad Peterson confirmed said that the organization wasn’t directly impacted by MOVEit, but was also impacted by a breach at one of its third-party vendors using MOVEit Transfer. The vendor, named as Pension Benefit Information (PBI), is used by TIAA for auditing and beneficiary location services.
“No information was obtained from TIAA’s systems and TIAA systems were not at risk from the MOVEit Transfer vulnerability,” Peterson said. “We have not observed any related unusual activity from this event involving TIAA accounts.”
The mass-hack has so far claimed more than 160 victims, according to Emsisoft threat analyst Brett Callow, including the U.S. Department of Health and Human Services (HHS) and Siemens Energy. Only 12 of these victims have confirmed the number of people affected, which already adds up to more than 16 million individuals.
Trinity College, which uses TIAA as the record keeper for its annuity plan, said in a statement that while its own systems were unaffected by the MOVEit hack, “TIAA, with whom Trinity shares student employee data, has announced that its files may be impacted.” Trinity said that it shared Social Security numbers and dates of birth with TIAA.
Middlebury College said it had also been notified by TIAA, with whom it shares personally identifiable information, that data belonging to the college had been exposed due to the cyberattack. While it hasn’t confirmed exactly what types of data were accessed, Middlebury said it notified college “students, faculty, and staff” whose information may have been compromised in the breach.
Middlebury confirmed it was also impacted by a MOVEit attack on National Student Clearinghouse, which resulted in the exposure of student data.
While TIAA notified affected schools of its security incident, the organization has yet to publicly acknowledge the incident. In response to a Twitter user questioning the organization’s silence, TIAA responded saying that its offices were closed.
It’s not yet known how many organizations have been impacted as a result of the cyberattack on TIAA. TIAA has not yet been listed on the dark web leak site of the Russia-linked Clop ransomware gang, which has claimed responsibility for the ongoing MOVEit cyberattacks.
Updated with comment from TIAA.