UPDATED: University Statement Regarding the MOVEit Data Breach

This statement was originally published on July 2, 2023, and was updated on July 26, 2023.

Webster University has been informed by two vendors, the National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association (TIAA), that they were impacted by the MOVEit Transfer vulnerability. MOVEit Transfer is not used at Webster University. NSC and TIAA have assured Webster that any member of our community who is affected will be notified directly and provided information about next steps and whom to contact for inquiries. 

TIAA

TIAA provides investment and insurance services for employees who work for non-profit organizations, including educational institutions such as Webster. The MOVEit Transfer software is used by one of TIAA’s third party vendors, Pension Benefit Information, LLC (PBI). Webster understands that PBI experienced a cyber-attack that exposed certain personal information. TIAA has informed Webster University that no information was obtained from TIAA’s systems, that TIAA systems are not threatened, and that TIAA has seen no related unusual activity involving TIAA accounts. Webster also understands that PBI provided notice directly to impacted individuals in mid-July. 

NSC

NSC performs required compliance reporting, data exchange, verification, and transcript services to Webster, and many higher education institutions. NSC has informed Webster that they believe that an unauthorized party obtained certain files transferred through the MOVEit Transfer tool, potentially including files containing personal data that NSC maintains on behalf of Webster University. It is Webster’s understanding that NSC has no evidence that the unauthorized party was specifically targeting Webster University data on their systems. For additional information from NSC, please review the information on its website. 

What is Webster doing? 

Webster University continues to take these incidents and their potential impact to our community very seriously. Webster has taken the following measures to address these incidents: 

• We continue to diligently follow-up with both NSC and TIAA for updates regarding the scope and the potential impact of the incident to the Webster community. 
• We are evaluating file transfer protocols pertaining to Webster’s third party vendors. 
• We are continuously analyzing and investigating the incident and the impact to the Webster community.

What can you do?

We encourage the entire Webster community to remain vigilant and to be mindful of suspicious events or activity involving their personal data. Regardless of whether your data was exposed in this incident, it is good practice to keep the following resources in mind:

• Consider placing a credit freeze on your credit report with each of the three credit reporting agencies (Experian, TransUnion, and Equifax). Check your credit report at annualcreditreport.com.  
• Frequently review your financial accounts. The FTC has useful resources to consult that provide helpful information to consider. 
• Banks and credit reporting agencies also often allow individuals to review changes to their credit report free of charge and to be alerted of changes to their credit report. Your bank may be able to provide you with additional information if it offers this service. 

Adhering to the above recommendations is strongly recommended as it may help aleviate issues arising if an unauthorized party has actually accessed personal data that NSC or TIAA processes on behalf of Webster, and may help mitigate any potential impacts. 

In case of questions, please contact the Webster University Office of Privacy via email at privacy@webster.edu.