Third-Party Data Breaches Related to MOVEit Software

Update: September 7

Multiple third-party vendors notified Biola University that sensitive student information may have been compromised by the MOVEit data breach. The breaches were a result of an exploited vulnerability in the "MOVEit" software used to transfer data between vendors.

Biola has finished working with third-party vendors to communicate with students who may have been affected by the breach.

This was a breach of Biola’s third-party vendors. Biola's systems were not affected by this breach.

Information Shared on July 28

National Student Clearinghouse

The National Student Clearinghouse (NSC) originally notified Biola University in July that sensitive student information may have been compromised due to an unauthorized party obtaining certain files transferred through the MOVEit Transfer tool. Biola, like many other higher education institutions, contracts with NSC to provide educational reporting and verification services.

Since then, NSC identified that only directory-level information was included in the breach, and no sensitive information was compromised. Consequently, NSC will not be notifying affected individuals or offering identity theft protection services.

Information about this incident from NSC can be found at https://alert.studentclearinghouse.org/

United Healthcare

Biola University was notified that United Healthcare, a provider of Student Health Insurance, suffered a breach as a result of the MOVEit vulnerability. Potentially compromised student data may include name, date of birth, address, phone number, email address, social security number, health claims, prescriptions, diagnosis, and provider information. United Healthcare emphasized that not all data elements were compromised for all individuals, and they have not revealed details about the scope of the breach or the number of affected users.

United Healthcare has advised us they have recently contacted affected users and offered to provide additional guidance as well as identity theft protection services.

For more information about the United Healthcare breach, see their report here: https://www.uhcsr.com/media/dbd8af76-4e09-4bd1-b94c-eb94a4b4fdc6

Recommendations

There are no immediate actions for you to take at this time, but check back to this page for future updates as the situation unfolds.

This is also a reminder of the importance of maintaining good cyber hygiene. You can protect yourself and others by taking the following steps:

• Monitor your credit report for suspicious changes. You can use a third party service for this, or this may be available at no cost through your financial institution.

• Protect all your online accounts by enabling Mult-Factor Authentication (MFA) when available.

• Be suspicious of requests for personal data, and report suspicious messages to phishing@biola.edu.

• If you think your identity may have been stolen, follow the FTC’s identity theft protection guide.