This is an update to provide important information about the Clearinghouse’s response to the MOVEit cybersecurity issue. As you know from our prior bulletin, an unauthorized third party exploited a vulnerability in the MOVEit Transfer software to obtain certain files transferred through the software, including files containing personal information that the Clearinghouse maintains on behalf of NMMI.
The Clearinghouse has engaged Kroll, an incident response service provider, to help the Clearinghouse provide NMMI with information about the individuals whose personal information was affected and to support the notification process.
What Information Was Involved?
The files obtained by the unauthorized third party contained personal information pertaining to current and former students of educational institutions and customers of education finance organizations. The types of personal information that were included in the files varied by individual. For NMMI’s affected data, they generally included names, contact information, and educational information such as enrollment, degree, and course-level data (the course-level data was contained in files such as transcripts and Postsecondary Data Partnership reports).
They did not identify any individuals associated with NMMI whose Social Security number (“SSN”), student identification number (“Student ID”), or date of birth (“DOB”), as provided by NMMI, was included in the affected files.
Next Steps
NMMI will continue to seek all the information we can get from Kroll and provide additional information when received.