Several institutions affiliated with Stony Brook University have become targeted by a cyberattack, putting the private data of students, faculty and staff at risk.
In an email sent to the campus community on July 11, Lawrence M. Zacarese, the vice president for Enterprise Risk Management, and Matt Nappi, the assistant vice president of the Division of Information Technology, announced that the attack had taken place and shared how it could affect the SBU community.
According to the email, the affiliated institutions in question were the National Student Clearinghouse (NSC), the Teachers Insurance and Annuity Association (TIAA) and Corebridge Financial.
“The type and extent of the data accessed by the cybercriminals is not yet known, but we have been advised that the impacted organizations will notify you personally in due course if your information was affected,” the email read.
While Zacarese and Nappi did not provide any specific information related to exactly what data could have been accessed, Corebridge Financial has disclosed that the information leaked may include full names, social security numbers, addresses, and dates of birth.
The Stony Brook Media Relations Office declined to provide answers to a list of questions sent by The Statesman. University officials instead directed The Statesman to the previous email sent by Zacarese and Nappi.
The cyberattack was part of a broader effort conducted by the Russian hacking group CL0P. The group exploited a vulnerability in software called MOVEit used by the affected organizations for transferring and storing digital files. This allowed CL0P to gain access to personal data stored by the organizations. According to the website KonBriefing, the attack has affected over 600 known organizations and between 35.8 and 40.7 million individuals.
Progress Software, the company that created MOVEit, was the first to announce that a vulnerability within the software had been exposed. In turn, organizations like NSC that used the software notified affected institutions like Stony Brook.
The breach has already had consequences beyond cyberspace, as TIAA was recently hit with a lawsuit alleging that the organization had failed to properly secure and safeguard the personally identifiable information of its clients. The suit also alleges that TIAA failed to properly notify the plaintiff of the harm they suffered due to the breach, as well as other details such as the timely notification of the attack and specific details of the breach. In addition, it claims that TIAA neglected to furnish an adequate reimbursement, as the company only extended 24 months of identity monitoring protection to those impacted by the breach through a third-party security software solution.
“The injuries to Plaintiff and Class Members were directly and approximately caused by Defendant’s failure to implement or maintain adequate data security measures for the [Personal Identifiable Information] of Plaintiff and Class Members,” the lawsuit read.
Corebridge Financial could also soon be the target of a lawsuit related to the breach, as law firms Turke & Strauss LLP and Markovits, Stock & DeMarco, LLC have both opened investigations into the possible legal actions they could take against the company on behalf of their clientele.
No lawsuit currently exists against NSC. The company announced on its website that it had repaired the vulnerability that allowed the breach to occur and stated they were taking steps to address the problem as quickly as possible.
“Upon learning of the vulnerability, we promptly launched an investigation and took steps to secure our MOVEit environment, including implementing patches to MOVEit software pursuant to Progress Software’s instructions,” a statement posted on NSC’s website read. “We reported the issue to law enforcement and have been working with leading cybersecurity experts to understand the issue’s impact on our organization and our systems.”
