Recommendations for Addressing the MOVEit Data Breach in Higher Education

Recommendations for Addressing the MOVEit Data Breach in Higher Education

August 03, 2023

The vulnerability of the MOVEit software has become a major concern for educational institutions across the country. As cyber exploits continue to make headlines, the National Student Clearinghouse (NSC), a crucial data holder and processor for countless U.S. colleges and universities, has discovered an exploit in their instance of MOVEit. Taking a proactive approach, the NSC is reaching out to potentially affected institutions to alert them of a possible data breach.

To help support affected institutions, the cybersecurity team at OculusIT has collaborated on a list of recommended measures for higher education to consider when addressing the MOVEit data breach.

The NSC’s Proactive Notification:

The NSC is taking the MOVEit problem seriously and has acted quickly, communicating with the institutions they work with to let them know about the possible data breach. Even though they are still determining exactly which institutions are affected, the NSC’s proactive notification process aims to provide a heads-up to institutions. Each institution will receive its own unique notification, and they will be told exactly what data might might have been compromised.

Institutions’ Transparency and Good Faith:

Even if the data breach didn’t happen in their own systems, many institutions are choosing to be honest and trustworthy. They understand just how important it is to tell their students and staff about the situation. The sooner affected individuals are informed that there may be an issue with their personal data, the sooner they can review accounts, change passwords, monitor financial activity, etc. and effectively manage the situation.

Recommended Actions for Higher Education Institutions:

1. Report the incident to the Department of Education’s Federal Student Aid (FSA)

  • FSA has confirmed each institution should report the NSC incident to them.

2. Report the incident to your Cybersecurity Insurance Provider

3. Consider creating a website post and email for all constituents:

  • Describe the incident.
  • Explain what NSC is and why they have the data.
  • Point out the compromise was not due to your institution’s systems or networks.
  • Provide other relevant information as appropriate.

4. Create an FAQ page to help proactively answer any concerns or questions

5. Create a MOVEit/NSC generic email account and direct all incoming communications to this email address to track, organize, and ensure swift, effective responses.

6. Establish and communicate a phone number that will route to the appropriate individuals who know how to respond and assist with any phone inquiries.

7. Train your institution’s help desk in handling incoming concerns and questions.

8. Consider creating a new category in your ticketing system to store and organize requests.

9. If you have the resources, demonstrate your ongoing commitment to your constituents by working with an outside provider and offer an optional enrollment in credit monitoring. This will show good faith and a commitment to providing students with a safe and secure environment.

Considering the MOVEit data breach, higher education institutions must prioritize transparency and proactive measures to safeguard their constituents’ data. By following the recommended actions, institutions can effectively manage the incident and demonstrate their commitment to the security and well-being of their students, alumni, faculty, and staff.  

For additional support in addressing this matter or to enhance your institution’s security measures, contact our team of security experts today.