The Student News Site of Stony Brook University

The Statesman

41° Stony Brook, NY
The Student News Site of Stony Brook University

The Statesman

The Student News Site of Stony Brook University

The Statesman


Cyberattack raises security concerns among SBU students and faculty

An image of an anonymous computer hacker over an abstract digital background. Institutions affiliated with Stony Brook University have become targeted by a cyberattack, threatening the private data of students and faculty. JERNEJ FURMAN VIA FLICKR UNDER CC BY 2.0

Several institutions affiliated with Stony Brook University have become targeted by a cyberattack, putting the private data of students, faculty and staff at risk.

In an email sent to the campus community on July 11, Lawrence M. Zacarese, the vice president for Enterprise Risk Management, and Matt Nappi, the assistant vice president of the Division of Information Technology, announced that the attack had taken place and shared how it could affect the SBU community.  

According to the email, the affiliated institutions in question were the National Student Clearinghouse (NSC), the Teachers Insurance and Annuity Association (TIAA) and Corebridge Financial. 

The type and extent of the data accessed by the cybercriminals is not yet known, but we have been advised that the impacted organizations will notify you personally in due course if your information was affected,” the email read.

While Zacarese and Nappi did not provide any specific information related to exactly what data could have been accessed, Corebridge Financial has disclosed that the information leaked may include full names, social security numbers, addresses, and dates of birth.

The Stony Brook Media Relations Office declined to provide answers to a list of questions sent by The Statesman. University officials instead directed The Statesman to the previous email sent by Zacarese and Nappi. 

The cyberattack was part of a broader effort conducted by the Russian hacking group CL0P. The group exploited a vulnerability in software called MOVEit used by the affected organizations for transferring and storing digital files. This allowed CL0P to gain access to personal data stored by the organizations. According to the website KonBriefing, the attack has affected over 600 known organizations and between 35.8 and 40.7 million individuals.

Progress Software, the company that created MOVEit, was the first to announce that a vulnerability within the software had been exposed. In turn, organizations like NSC that used the software notified affected institutions like Stony Brook.

The breach has already had consequences beyond cyberspace, as TIAA was recently hit with a lawsuit alleging that the organization had failed to properly secure and safeguard the personally identifiable information of its clients. The suit also alleges that TIAA failed to properly notify the plaintiff of the harm they suffered due to the breach, as well as other details such as the timely notification of the attack and specific details of the breach. In addition, it claims that TIAA neglected to furnish an adequate reimbursement, as the company only extended 24 months of identity monitoring protection to those impacted by the breach through a third-party security software solution.

“The injuries to Plaintiff and Class Members were directly and approximately caused by Defendant’s failure to implement or maintain adequate data security measures for the [Personal Identifiable Information] of Plaintiff and Class Members,” the lawsuit read

Corebridge Financial could also soon be the target of a lawsuit related to the breach, as law firms Turke & Strauss LLP and Markovits, Stock & DeMarco, LLC have both opened investigations into the possible legal actions they could take against the company on behalf of their clientele. 

No lawsuit currently exists against NSC. The company announced on its website that it had repaired the vulnerability that allowed the breach to occur and stated they were taking steps to address the problem as quickly as possible.

“Upon learning of the vulnerability, we promptly launched an investigation and took steps to secure our MOVEit environment, including implementing patches to MOVEit software pursuant to Progress Software’s instructions,” a statement posted on NSC’s website read. “We reported the issue to law enforcement and have been working with leading cybersecurity experts to understand the issue’s impact on our organization and our systems.”

Leave a Comment
Donate to The Statesman

Your donation will support the student journalists of Stony Brook University. Your contribution will allow us to purchase equipment and cover our annual website hosting costs.

More to Discover
About the Contributor
Sky Crabtree, Assistant News Editor
Sky Crabtree is an Assistant News Editor for The Statesman and a sophomore studying journalism and political science. He joined the paper in the spring of 2023 as a news reporter and was promoted at the end of the same semester. Outside of The Statesman, you can catch him reporting on WUSB's weekly news show and as a member of the Stony Brook Media Group.
Donate to The Statesman

Comments (0)

All The Statesman Picks Reader Picks Sort: Newest

Your email address will not be published. Required fields are marked *