On June 29, 2023, Middlebury College posted an “Information Security Notice” on its website. Evidently, two of the College’s vendors, the Teachers Insurance and Annuity Association (“TIAA”) and the National Student Clearinghouse (“NSC”), used MOVEit, which is a file-transfer software that was recently discovered to contain a vulnerability that allowed hackers to access information stored within the platform. Both TIAA and NCS informed Middlebury College that confidential information belonging to Middlebury students, staff and faculty members may have been subject to unauthorized access. Middlebury College does not use MOVEit. However, the College provided student and employee information to its vendors who used the software, which is how the data breach occurred. Upon completing their own investigations, TIAA and NSC will begin sending out data breach notification letters to all individuals whose information was affected by the recent data security incidents.
If you receive a data breach notification from TIAA or the National Student Clearinghouse, it is essential you understand what is at risk and what you can do about it. Middlebury College provided notice of the breach on its website, but the data breach letters will be coming from NSC or TIAA. However, regardless of the name at the top of the letterhead, the end result is the same: your personal information may be in the hands of criminals who are looking to steal your identity. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the MOVEit data breaches affecting Middlebury College. For more information, please see our recent piece on the topic here.
What Caused the Data Breach Affecting Middlebury College Students and Staff?
The Middlebury College data breach was only recently announced, and more information is expected in the near future. However, Middlebury College’s “Information Security Notice” provides some important information on what led up to the breach. According to this source, Middlebury College deals with two third-party vendors, the Teachers Insurance and Annuity Association and the National Student Clearinghouse. To enable these companies to perform the contracted services, Middlebury College gave both NSC and TIAA confidential information related to students, faculty and staff. However, both of these vendors, which are not related, use or used the file-transfer software MOVEit.
In May 2023, the company that created MOVEit, Progress Software, LLC, announced a zero-day vulnerability affecting MOVEit. This vulnerability allowed unauthorized parties to access information that was transferred or stored on the platform. Because both TIAA and NSC used MOVEit to transfer data provided to the companies by Middlebury College, each of these companies informed Middlebury College that certain information belonging to students, staff members and faculty members may have been subject to unauthorized access.
On June 29, 2023, Middlebury College posted notice of the data breach. However, because the breach did not impact the IT network of Middlebury College, any data breach letters will come from the Teachers Insurance and Annuity Association or the National Student Clearinghouse.
More Information About Middlebury College
Founded in 1800, Middlebury College is a private liberal arts school located in Middlebury, Vermont. Middlebury College offers courses of study in the arts, humanities, literature, foreign languages, social sciences, and natural sciences. Middlebury enrolls approximately 2,700 students each year. Middlebury College employs more than 1,620 people and generates approximately $290 million in annual revenue.
