• Departments & Offices
• IT
• Announcements

MOVEit Transfer Security Incident

Summary

You may be aware of the cybersecurity event that is impacting thousands of organizations across the world involving a software product called MOVEit. W&M does not use the MOVEit data transfer product itself and university systems are not directly impacted by this event. However, at least three of the university’s third-party vendors who handle data involving W&M people have been impacted (National Student Clearinghouse, United Healthcare and TIAA).

Full Description

W&M is aware that three university vendors were impacted by a recent cybersecurity incident involving a vulnerability in one of their third-party software tools, MOVEit Transfer, a product of Progress Software. MOVEit Transfer is used by thousands of organizations worldwide to transfer enterprise files. W&M does not use the MOVEit data transfer product itself and university systems are not directly impacted by this event. However, at least three of the university’s third-party vendors who handle data involving W&M people have been impacted (National Student Clearinghouse, United Healthcare and TIAA).

While the majority of our community will remain unaffected, we want you to be aware and to be on the lookout for messages from these vendors as they will be reaching out directly to impacted individuals.

W&M IT has convened its Incident Response Team (IR) who is monitoring the situation and will provide updates on this page as they become available. 

The following third-party service providers have notified us that data pertaining to W&M students, faculty and/or staff may have been impacted as a result of the MOVEit incident:

National Student Clearinghouse (NSC) 

NSC is a nonprofit organization that provides educational reporting, verification, and research services to North American colleges and universities.  William & Mary partners with NSC for transcript ordering, enrollment reporting, research services and enrollment and degree verification. NSC will contact you directly if your data is at risk. Visit the NSC website for additional information. 

The Teachers Insurance and Annuity Association (TIAA) 

TIAA is a financial organization that provides investment and insurance services for those working for organizations in the nonprofit industry in academic, research, medical, government and cultural fields. TIAA's subcontractor, Pension Benefits Information (PBI), will contact you directly if your data is at risk. For additional information on safeguarding your account and staying updated, please visit the TIAA Security Center or contact TIAA directly at 800-842-2252 or via email at abuse@tiaa.org.

• Participants can call TIAA’s National Call Center in advance of receiving their letter from PBI.
• The phone number for the NCC is 1-800-842-2252.

United Healthcare

The Student Injury & Sickness Insurance Plan designed especially for W&M students is underwritten by United Healthcare Insurance Company. UH will contact you directly if your data is at risk. 

What you can do to help protect your personal information 

• Closely monitor your financial accounts for suspicious activity.
  • See the FTC’s “Warning signs of identity theft” website for tips on what to look out for. 
• Check your credit report at annualcreditreport.com. 
• Consider placing a credit freeze on your credit report. 

Please send any questions related to this incident to [[ciso]].

Frequently Asked Questions

frequently asked questions

Were all students impacted by the National Student Clearinghouse breach? A very small number of students were imacted by the NSC breach. If you were impacted, you will receive updates directly from NSC.

I am an employee that uses TIAA, was my data breached? A limited number of employees were impacted by the TIAA breach. Individuals impacted by the data breach with TIAA will receive specific details directly from them.

I have United Healthcare, was my data breached? A limited number of students were impacted by the UH breach. Individuals impacted by the data breach with UH will receive specific details directly from them.

I haven't heard from any of these vendors. Does that mean I am in the clear? It is our understanding that all three organizations have completed their communications to impacted users.

I've been notified that I was included in the breach. Now what? Here are some things you can do to protect your personal information.

Why would W&M use a product that is susceptible to this kind of breach? W&M does not use the MOVEit data transfer product itself. The university is one of thousands of other organizations who use these third-party vendors.