UPDATED: July 21, 2023, 11:04 a.m. CDT
POSTED: July 17, 2023, 4:37 p.m. CDT
Dear GSU Community,
Governors State University is monitoring three related nationwide data breaches traced back to MOVEit Transfer file application, which may impact the personal data of GSU students and employees. Please read this notice in full for important information about steps you can take to ensure the security of your personal data. While GSU does not use MOVEit, third parties that perform services for GSU do, including the National Student Clearinghouse (the “Clearinghouse”), the Teachers Insurance and Annuity Association of America (“TIAA”), and the Illinois Department of Innovation Technology (“DoIT”). While there is no indication that GSU’s systems were breached, the data of GSU students and employees appear to have been compromised while in the possession of third party contractors.
Regarding GSU students, the Clearinghouse has notified GSU that files it maintains on behalf of GSU were accessed as part of this global cybersecurity data breach. Information relating to GSU students, which may include names, dates of birth, contact information, enrollment and degree information, student identification numbers, and Social Security numbers were included in the files that were part of the cybersecurity incident. You can find the Clearinghouse’s statement on this incident and additional information here. At this time, GSU does not know how many students may have been impacted or the names of individuals impacted. GSU continues to monitor this situation and will update the community as additional details become available.
Regarding GSU employees, DoIT sent letters to certain GSU employees on or about July 5, 2023 notifying them that their personal information may have been accessed. Also regarding GSU employees, GSU has been notified by TIAA that GSU employee data was unlawfully accessed as part of this cybersecurity attack through TIAA’s third party vendor. In each instance, personal identifiable information, including name, address, and social security number may have been accessed (and, for TIAA, date of birth). At this time, GSU does not know how many employees’ data may have been accessed, or the names of all those impacted. GSU is working with DoIT and TIAA to obtain further information and will update the community as additional details become available.
GSU recommends that all GSU community members review and monitor their credit accounts closely for suspicious or unauthorized activity. You should take any necessary precautions to protect your credit accounts, which may include updating your applicable account credentials (usernames, email addresses, passwords, security answers, and PIN numbers). You should not use the same passwords across multiple accounts.
In the event you discover suspicious activity on your credit reports, you should contact your local police or sheriff’s office and file a police report of identity theft. You should request a copy of the police report. Even if you do not find any signs of fraud on your credit reports, you should continue checking your credit reports every three months for the next year as a precaution. For additional information on identity theft, including steps to take if you become a victim, please visit the Federal Trade Commission’s website at IdentityTheft.gov. You can also contact the Illinois Attorney General with any questions at the toll-free Identity Theft Hotline: 1-866-999-5630 or visit IdentityTheft at illinoisattorneygeneral.gov.
You can also check your credit report for free and, if necessary, consider placing a credit freeze on your credit report with each of the three credit reporting agencies. Please call the credit bureaus or visit their websites listed below for more information:
GSU takes the privacy and security of all members of our campus community seriously and will continue to actively monitor the situation and keep the community updated as it progresses. Please continue to monitor the webpage GSU has established for additional information and updates.
As has been widely reported in the news, criminals have exploited a vulnerability in the Progress Software MOVEit file transfer application (“MOVEit”), resulting in authorized access to data stored by MOVEit. GSU does not use MOVEit. However, third parties with which GSU contracts do use MOVEit, including the National Student Clearinghouse (the “Clearinghouse”). The Clearinghouse has notified GSU that files it maintains on behalf of GSU were accessed as part of the cybersecurity incident. Information relating to GSU students, which may include names, dates of birth, contact information, enrollment and degree information, student identification numbers, and Social Security numbers were included in the files that were part of the cybersecurity incident.
At this point, the Clearinghouse has not informed GSU of the names of impacted individuals whose data may have been compromised. The Clearinghouse continues to investigate this incident and has promised to notify GSU when it learns of the individuals impacted. Therefore, GSU recommends that all students act as though their information was compromised until we know otherwise.
Certain employees of the university have been informed by the State of Illinois’ Department of Innovation and Technology (“DoIT”) that the cybersecurity incident impacted DoIT as well. We believe DoIT is notifying employees who may have been impacted directly via U.S. mail. Employees who receive such notice should follow the instructions in that letter.
GSU recommends that you closely monitor your financial accounts for suspicious activity. You can also check your credit report for free and, if necessary, consider placing a credit freeze on your credit report with each of the three credit reporting agencies.
The Clearinghouse provides educational reporting, data exchange, verification, and research services to many higher education institutions, including GSU. In connection with such services, GSU shares information on prospective and current GSU students, including such students’ social security numbers, but not including any financial account information. NSC has posted information about this incident to the NSC website, including answers to questions here. General information about the Clearinghouse’s published data privacy and security practices can be found on the Clearinghouse’s website here.
GSU will continue to update this page with any updates as needed.