Moveit Breach Communications

Dear KCTCS community,

As you may have seen in the news, a vulnerability to the file transfer application MOVEit (MOVEit Software) has been impacting organizations and exposing personal data worldwide. KCTCS uses the MOVEit in a limited fashion to receive test scores from another state agency, but not personal information that would result in the ability to steal a person’s identity. The Commonwealth Office of Technology has indicated they see no impact on the information shared in this manner. However, some of our third-party providers do use it to convey personally identifiable information.

The National Student Clearinghouse (NSC) and The Teachers Insurance and Annuity Association (TIAA) have notified KCTCS that certain personally identifiable information that we share with NSC and TIAA may have been exposed.  This is due to the use of MOVEit’s Software in connection with these third parties providing services to KCTCS. Based on notices that these parties have provided, and on information posted online, NSC and TIAA are continuing to investigate the MOVEit data breach. Additional information concerning the services provided by NSC and TIAA to KCTCS is summarized at the bottom of this notice.

Since our initial receipt of notice of this incident, KCTCS has been in contact with NSC and TIAA to confirm the next steps these parties will take to address this situation. KCTCS takes the privacy and security of all members of our campus community seriously and are continuing to actively monitor the situation.

Though you will receive written notice from NSC or TIAA if your personal information has been affected by this breach, Technology Solutions (TS) recommends that you go ahead and closely monitor your financial accounts for suspicious activity. You can also check your credit report for free and, if necessary, consider placing a credit freeze on your credit report with each of the three credit reporting agencies.

Summary of Information by Provider:

National Student Clearinghouse (NSC)

NSC provides educational reporting, data exchange, verification, and research services to many higher education institutions, including KCTCS. In connection with such services, KCTCS shares information on prospective and current KCTCS students, including such students’ social security numbers, but not including any financial account information. NSC has posted information about this incident to the NSC website, including answers to questions here. General information about NSC’s published data privacy and security practices can be found on the NSC website here.

The Teachers Insurance and Annuity Association (TIAA)

TIAA is a financial organization that acts as a fund sponsor under KCTCS’ 403(b) defined contribution plan. TIAA has advised KCTCS that certain personal information of participants in such plan, including social security numbers, was exposed in the MOVEit data breach. The list of affected individuals provided appears to indicate that mostly former employees were impacted rather than currently employed individuals.

TIAA’s third-party vendor, Pension Benefit Information, LLC (PBI), which uses the MOVEit Software in providing services to TIAA, was the actual party directly affected by the data breach. It is anticipated that PBI will send the data breach notice on behalf of TIAA to affected persons. TIAA is monitoring participant accounts for unusual activity and, to date, has not notified KCTCS of any improper activity in accounts of KCTCS participants as a result of the incident. For additional information on safeguarding your account and staying updated, please visit the TIAA Security Center or contact TIAA directly at 800-842-2252 or via email at abuse@tiaa.org.

KCTCS will continue to update this page with any updates as needed.