University at Buffalo (UB)
National MOVEit Data Breach
Published August 21, 2023
As recently reported in the news, a major data breach is affecting millions of people. The breach involved exploiting a security vulnerability with the file transfer tool “MOVEit” used by third-party organizations that have a relationship with many corporations and institutions of higher education across the country, including the University at Buffalo.
On This Page
What this means for UB
No systems operated or maintained by UB were breached. We are providing this information so everyone in our community can take steps to protect their personal information.
UB takes data privacy and information security very seriously and this matter is of utmost and vital importance to the university. UB Information Technology is leading the UB team that is actively evaluating the extent of the impact on students and employees.
Information about impacted third-party organizations
The following third-party organizations associated with UB have informed the university that they were impacted by the cyberattack and that confidential information belonging to some UB community members may have been compromised. We have been assured that the third-party systems have now been secured and that those third-parties are in various stages of their investigation in determining the impact of the cyber incident. The impacted companies will directly contact those affected with information about next steps.
The Corebridge Financial has informed us that they were impacted by the cyberattack and that confidential information belonging to some UB employees may have been compromised.
Data for some employees is sent to Corebridge Financial to support retirement services.
The type and extent of the data accessed by the cybercriminals is not yet known, but we have been advised that Corebridge Financial will directly contact those affected with information about next steps. Corebridge Financial has established a dedicated webpage (www.corebridgefinancial.com/vendor-incident) to provide more information and a FAQ.
DMA — which uses MOVEit for file transfer services — informed UB Dental Clinic officials on July 20, 2023, that the cyberattack on MOVEit systems may have resulted in unauthorized access of personal health information of approximately 765 UB Dental patients who received billing statements from the clinic between May 4, 2023, and May 26, 2023. No systems directly operated or maintained by UB Dental were breached or compromised.
At this time, it is believed that only those patients who received billing statements from the UB Dental clinic between May 4 and May 26 may have been impacted and had the following information compromised: practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service/payment descriptions, charge amount, payments, or adjustments. No credit card information or Social Security Numbers were part of the breach.
UB Dental will directly contact those patients affected by mail in mid-August with information about steps patients can take to monitor their credit and safeguard their personal information. Any UB Dental patients with questions about the breach may contact the UB Dental clinic directly at 844-248-9266.
Additional details at https://www.buffalo.edu/news/releases/2023/08/data-media-associates.html
The National Student Clearinghouse (NSC) have informed the university that they were impacted by the cyberattack and that confidential information belonging to approximately 28 current and former UB students have been compromised.
Student data is sent to the NSC for the National Student Loan Data System (NSLDS) as required by the U.S. Department of Education.
For those 28 impacted, data included first and last name, date of birth, and possibly contact information, degree and enrollment information. No Social Security Numbers or transcripts were exposed. We have been advised that NSC will notify impacted current or former students and offer identity monitoring services from Kroll. The National Student Clearinghouse is providing information about their response at alert.studentclearinghouse.org.
The Teachers Insurance and Annuity Association (TIAA) has informed the university that they were impacted by the cyberattack and that confidential information belonging to approximately 135 active UB employees have been compromised.
TIAA’s partner, Pension Benefit Information, LLC, (PBI) directly contacted impacted individuals in August and offered credit monitoring services from Kroll. PBI has also posted information and resources at https://www.pbinfo.com/faq-consumer/.
United Healthcare Student Resources (UHCSR) have informed us that they were impacted by the cyberattack and that confidential data belonging to some students enrolled in health insurance plans through UB or SUNY may have been compromised.
While the information compromised varied by individual, it may have included a combination of names, date of births, addresses, phone numbers, email addresses, plan identification numbers, policy information, student identification numbers, claims information, including claim numbers, provider information, dates of services, diagnosis codes, prescription information, and claims financial information. For a subset of the impacted students, the information involved also contained Social Security numbers or national identification numbers. This incident did not involve the disclosure of driver’s license numbers or any financial account information. Not all data elements were involved for all individuals.
We have been advised that UHCSR will directly contact those affected, will include a two-year offer for LifeLock® Identity Theft Protection Services as well as provide guidance on steps that individuals can take to help protect themselves from identity theft. United Healthcare is also providing a dedicated toll-free phone number 1 (866) 341-4262 for additional information.
Things you can do to protect yourself
- Be extra vigilant: It is possible that cybercriminals may leverage stolen personal information from this attack to craft convincing phishing attacks in the coming weeks and months. An email, notice, or text message containing accurate information about you or one of your accounts is not enough to verify authenticity. Verify the source of a message before responding. Take note of how to identify a phishing attack. Phone calls may also be used to obtain personal or financial information.
- Monitor your financial accounts and credit: It is always wise to monitor your credit report for unusual activity. Consider putting a credit freeze in place to frustrate would-be scammers if you believe you are being targeted.
- Secure your accounts: Remember to enable two-factor authentication and to use long passphrases for all of your accounts. Never give someone your password or a two-factor code if asked for it, even if they claim to be from a trusted organization.