EWU Notified of Third-Party Data Breach

August 20, 2023
A person working on cybersecurity.

Eastern Washington University (EWU) was recently notified of a data breach with an application provider used by third-party vendors that impacts students, alumni and employees. Data security is of the utmost importance and the university has internal safeguards in place to prevent system breaches. More information about the vendors, what services they provide to EWU (including the data shared), identity theft resources and the steps EWU is taking to notify impacted individuals are provided below.

What was breached and when?

The breach has been attributed to the software application, MOVEit Transfer, utilized by the National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association (TIAA) for file transfer and storage. The software is not used by EWU and no system operated by the university has been breached; it is only used by the third-party vendors. Those vendors have reported that information was accessed on or around May 30, 2023. EWU was then alerted by the NSC on June 28 that some individuals’ information may have been compromised but were unable to provide additional details. The university received confirmation of the impacted individuals by the NSC breach on August 14. EWU is awaiting information on potentially impacted individuals from TIAA.

What data was accessed?

Some individuals had private, protected information accessed that may have included sensitive data such as social security number, birth date, student identification number or academic transcript information. This data, often referred to as personal identifiable information (PII), is considered private and confidential with limited access to authorized personnel and vendors. Unauthorized access to this data requires notification of impacted individuals.

Other data accessed includes “directory information” that is generally accessible to the public, such as name, dates of attendance and degrees received–this information is not considered sensitive. While notifications are not required when this information is accessed, EWU is notifying the campus community and the general public for awareness.

Who is impacted and what is EWU doing about it?

There are two breach incidents that EWU has been notified about: the National Student Clearinghouse (NSC) and Teachers Insurance Annuity Association (TIAA).

National Student Clearinghouse (NSC):
At this time, EWU can confirm that of the 13,646 student and alumni records that were included in the MOVEit Transfer breach with the National Student Clearinghouse, only two records contained sensitive and protected information. EWU is directly notifying those whose sensitive information has been accessed through the breach and providing them with identity theft monitoring and prevention tools and resources. While some personal identifiable information (PII) was accessed, no social security numbers were breached in this instance.

Teachers Insurance Annuity Association (TIAA):
The scope of the impact for the MOVEit Transfer breach with Teachers Insurance Annuity Association’s vendor is still under review. Eastern is still awaiting specific information from TIAA about how many individuals were impacted and what types of data might have been exposed. Eastern will provide updated information to the community once we receive it from TIAA and will notify any impacted individuals whose PII may be compromised once the analysis is complete.

Who can I contact for more information?

General questions from concerned individuals can be directed to: Nikki Measor at nmeasor@ewu.edu or 509.359.6586.

Media inquiries can be directed to Dave Meany at dmeany@ewu.edu or 509.359.6335.

Additional information and resources:

National Student Clearinghouse (NSC)

The NSC is a nonprofit organization that provides educational reporting, data exchange, and verification services to more than 3,600 colleges and universities. Universities use the NSA for a variety of purposes, such as verifying enrollment status and awarded degrees. NSC has notified Eastern that the software vulnerability allowed unauthorized access to student directory information such as names, contact information and degrees attained. For additional information about the National Student Clearinghouse data breach, please visit their website.

Teachers Insurance and Annuity Association (TIAA)

TIAA is a financial organization that provides services for investment, retirement, and financial planning. Some Eastern employee retirement benefits are administered by TIAA. For those employees who choose to participate in TIAA services, Eastern provides TIAA with sensitive data. The data transferred from Eastern to TIAA was not compromised. However, TIAA indicated one of its outside vendors, Pension Benefit Information, LLC, was impacted.

Identity Theft Resources

If you have concerns about your financial records or identify theft, you can immediately take steps to protect yourself by visiting this helpful website at the Federal Trade Commission: https://www.identitytheft.gov/#/Steps