MOVEit Transfer Data Security Incident

UIndy is monitoring three data security incidents traced back to MOVEit Transfer, a file transfer software used by third-party contractors to securely transfer files from one system to another.

The University was recently notified by TIAA, a company that manages UIndy retirement funds, Genworth a company that manages UIndy's long-term care insurance, and National Student Clearinghouse (NSC), which manages degree verification and enrollment, that sensitive data may have been exposed during file transfers.

UIndy, TIAA, and Genworth (via PBI) have already notified the individuals impacted by the TIAA & Genworth incident. NSC's impacted individuals will be notified as well.

Further information on the incidents can be found on the respective websites:

FAQs:

What is the National Student Clearinghouse, and why do campuses provide student information to this organization?

The National Clearinghouse provides educational reporting, data exchange, and verification services to many colleges and universities nationwide. To allow NSC to provide these services, colleges and universities must provide NSC with students’ confidential information.

What does TIAA do for UIndy?

TIAA is a retirement benefits company UIndy uses on behalf of our employees.

What does Genworth do for UIndy?

Genworth is long-term care insurance company UIndy uses as an optional employee voluntary benefit on behalf of our employees.

When was UIndy first notified of the NSC incident?

On June 28, 2023, NSC confirmed the incident.

When was UIndy first notified of the TIAA incident?

On June 29, 2023, TIAA confirmed the incident. On July 14, 2023, letters were sent by PBI to the impacted parties.

When was UIndy first notified of the Genworth incident?

UIndy was made aware of Genworth's involvement by way of a letter to affected individuals dated July 21, 2023.

Why is UIndy only now reporting the incident to students, employees, and retirees whose information might be compromised?

The information shared with us by the breached entities was limited due to ongoing forensic investigations. As a developing story, UIndy did not have enough information to share with the community or the impacted individuals.

What specific types of personal data have been or may have been compromised?
  • While NSC processes data for a large number of students, evidence gathered has included just one student's date of birth, social security number and transcript has been exposed. This individual will be notified.
  • TIAA: Potentially, employee or retiree data, including personal identifying information and social security numbers, may be compromised.
  • Genworth: the personal information data elements impacted includes one or more of the following: First and Last Name, SSN, Date of Birth, Zip Code, State, Policy Number, Individual's Role, and general product type. For those that are deceased, the additional personal information data elements include City, Date of Death, and the source of that information.
Has there been any known attempt to use any compromised data or any demand for ransom or other action by the hackers?

TIAA, NSC, nor Genworth has not notified us of evidence of any attempted use of the compromised data or any ransom demand.

What steps, if any, should such students, employees, and retirees take on their own?

UIndy highly recommends taking advantage of your right to obtain a free annual credit report from each major credit reporting company, namely Experian, Equifax, and TransUnion. In case of any concerns regarding identity theft, you may also wish to consider contacting the Federal Trade Commission through their website at https://www.ftc.gov/ or https://consumer.ftc.gov/features/identity-theft. These proactive measures can help safeguard your personal information and financial well-being. 

UIndy Human Resources, the Registrar’s Office, and UIndyIT do not have additional information to share beyond what is provided above. All three entities are working diligently with TIAA, NSC, and Genworth to obtain additional information and clarification on the potential scope and impact of the incident.

This Tech Guide will be updated as we receive more information. If you have specific security questions, please email [email protected].