Third-party data breach impacts WSU community members

Updated July 24, 2023

According to national news media reports, many businesses and organizations worldwide have been impacted by a cybersecurity incident related to a widely used filesharing application known as MOVEit Transfer.

While Washington State University does not use the MOVEit software, WSU has received notifications from third-party service providers that personally identifiable information from some current and prospective WSU students and employees may have been exposed.

The third-party service providers who have contacted WSU include the National Student Clearinghouse (NSC), the Teachers Insurance and Annuity Association (TIAA), and UnitedHealthcare.

National Student Clearinghouse

The National Student Clearinghouse is a nonprofit organization that provides educational reporting, data exchange, and verification services to more than 3,600 colleges and universities nationwide. WSU works with the clearinghouse for a variety of purposes including enrollment and degree verification services and student loan reporting requirements. Data provided to the National Student Clearinghouse includes personally identifiable information and education records. 

The National Student Clearinghouse has posted details about this incident on its website.

Teachers Insurance and Annuity Association (TIAA)

TIAA is a financial organization that offers investment and insurance services to employees working in the academic, research, medical, governmental, and cultural fields. Washington State University provides names, addresses, dates of birth, and social security numbers for those employees who choose to participate in TIAA services. The data transferred from WSU to TIAA was not compromised. However, TIAA has indicated that Pension Benefit Information, LLC, an outside vendor it shares information with, has been impacted.

UnitedHealthcare

UnitedHealthcare makes health insurance plans available to college students across the country, including at Washington State University. UnitedHealthcare notified the university that personally identifiable information, as well as claims information, for some of its WSU student customers was accessed during a MOVEit Transfer cyberattack in June.

UnitedHealthcare has established a dedicated, toll-free telephone number (1-866-341-4262) that its policy holders can call for additional information regarding the MOVEit Transfer breach.

What steps can I take to protect myself?

The Federal Trade Commission offers recommendations if you think your personal information has been compromised. These include:

  • Closely monitor your credit reports.
    • You can obtain a free copy of your credit report from each of the three major credit reporting agencies; Equifax, Experian, and TransUnion.
  • Place a fraud alert on your accounts.
    • A fraud alert tells creditors to contact you before opening any new accounts or before making changes to existing accounts. You can place a fraud alert by contacting one of the three credit reporting agencies. A fraud alert at one of the agencies will automatically notify the other two services.
  • Freeze your credit at each of the three major credit reporting agencies.
  • If you believe you are the victim of identity theft, file a police report and notify the Federal Trade Commission at www.identitytheft.gov.
  • Block electronic access to your Social Security information.
    • Contact the Social Security Administration at 1-800-772-1213 to block electronic access. This will prevent anyone from being able to see or change your personal information on the internet or by the administration’s automated telephone service.

Moving forward

Washington State University expects that the National Student Clearinghouse, UnitedHealthcare, and Pension Benefit Information, LLC, a vendor for the Teachers Insurance and Annuity Association, will contact impacted individuals directly with additional details where required by law.

WSU will continue to update this webpage as new information becomes available from the service providers.