A recent breach notification from Georgia’s University System is informing some 800,000 students and employees of a May incident that may have exposed sensitive information.
However, that’s May of 2023, not the present month. The data loss is tied to the MOVEit breach that ran rampant last summer, a campaign that ultimately racked up over 2,700 victims.
MOVEit breach victims still appearing as late notices are filed
The breach notification confirms that the university system was using MOVEit in 2023 and was part of the widespread breach by the Cl0p ransomware group, which leveraged a previously unseen zero-day vulnerability and managed to keep the campaign quiet until it had already infiltrated many of its victims.
As with most of the attacks in this campaign Cl0p did not deploy ransomware, opting instead to simply steal data from the victims and then extort many of them at once. The university system says that Cl0p will “likely” publish the information on its website, indicating that a payment was not made. The statement further indicates that the university system became aware of the MOVEit breach in late May of last year and blocked the software on its network, so it is very likely that the stolen data was already dumped to the dark web or sold some time ago.
The university system said that it had conducted a “lengthy investigation” in the wake of the MOVEit breach and has determined that about 800,000 people in total are impacted. The notification does not break this down by demographics, but that number is more than double the amount of students enrolled in the 26 schools that make up the system. Given that, it is likely that former students and/or employees are also impacted. Exposed data includes “partial or full” Social Security numbers, bank account numbers, federal tax documents that include Tax ID numbers, and dates of birth. It is unclear if driver’s license numbers were exposed, as this is a category listed on the state of Maine’s mandatory breach reporting portal but is not present on the general notification sent out to students.
The university system is offering impacted individuals a free 12 months of the Experian IdentityWorks credit protection service, which must be redeemed by the end of July.
University system breach adds to 95 million tally of total MOVEit victims
While the university system was suspected to have been among those compromised in 2023 as the MOVEit breach unfolded, the confirmation now adds almost another million records to the roughly 95 million that Cl0p stole as part of this massive campaign. When victims do not pay, as appears to have been the case with the university system, Cl0p either dumps the data to the public via its dark web portal or puts it up for private auction to other cyber criminals.
The MOVEit breach has hit at least 900 other US schools for a similar collection of sensitive information, by way of the National Student Clearinghouse (a nonprofit that provides research and verification services). News of the breach began spreading in early June 2023, when the government of Nova Scotia and a number of both high-level government agencies and private companies in the United Kingdom began reporting incidents. Cl0p is thought to have begun exploiting the vulnerability in late May of that year, and began publicly extorting victims in mid-June.
Cl0p has existed since at least 2019, and has a history of targeting file transfer tools that dates back to well before the MOVEit breach. It pulled off similar attacks on the Accellion File Transfer Appliance in 2020 and GoAnywhere in 2023. The group has proven remarkably resilient, surviving partial takedowns of its operations in both 2021 and 2022. It now seems to have its hands full with exploiting the 2,770+ victims of the MOVEit breach and collecting payments, having shown little other noteworthy activity since 2023.
School systems in general are becoming a more popular target for cyber criminals, as they often are sitting on mass amounts of salable data and are often not properly defended (in turn due to budgeting issues, which may either be lack of understanding of the importance of cybersecurity or simple lack of funds). Recent research by Emsisoft found that cyber attacks on school districts in the US jumped from 45 in 2022 to 108 in 2023, more than doubling during that time.
This problem is not just limited to higher education, but university systems are a particularly appealing target because of their sprawling attack surfaces that generally include both a broad variety of vendors and a slew of personal devices connecting to the organization’s networks.