National Student Clearinghouse, a non-profit organization that provides educational reporting, verification, and data exchange services, has disclosed a data breach that affected 890 colleges and universities.

The breach occurred between May 17 and May 20, 2023, when an unauthorized actor exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362) that the organization used to share files with its clients. The attacker was able to access and download files containing personal information of students, alumni, and staff from various educational institutions.

According to the organization, the compromised files included names, dates of birth, Social Security numbers, and other data elements that vary by school. The organization said it has notified the affected schools and individuals, and offered them free credit monitoring and identity theft protection services for one year.

The organization also said it has taken steps to secure its systems, such as patching the vulnerability, resetting passwords, enhancing monitoring, and conducting a forensic investigation. It has also reported the incident to law enforcement and regulatory authorities.

The MOVEit Transfer vulnerability (CVE-2023-34362) is a SQL injection vulnerability that allows an unauthenticated attacker to execute arbitrary SQL commands on the underlying database of the web application. SQL injection is a common web application attack technique that exploits a lack of input validation or output encoding in the application code. An attacker can craft malicious SQL statements and inject them into the application’s queries, resulting in data leakage, data manipulation, or even complete database takeover.

The vulnerability was discovered and reported by Mandiant, a cybersecurity firm, on May 26, 2023. The vendor of the web application, Progress Software, issued a security advisory and patches on May 31, 2023. However, the vulnerability was already being exploited in the wild by the Clop ransomware group and other threat actors since May 17, 2023. The Clop ransomware group is known for stealing data from its victims before encrypting their files and demanding ransom. The group also operates a leak site where it publishes the stolen data of the victims who refuse to pay.

The vulnerability affects all versions of MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). Users of the web application are advised to apply the patches as soon as possible, or follow the mitigation steps provided by the vendor. The vulnerability has been assigned a CVSS score of 9.8 out of 10, indicating a critical severity level.

The National Student Clearinghouse data breach is one of the many incidents that have exploited the MOVEit Transfer vulnerability. Other victims include Shell, Bombardier, Qualys, and the University of Colorado. The vulnerability demonstrates the importance of timely patching and secure coding practices for web applications, especially those that handle sensitive data. Users of web applications should also monitor their systems for any suspicious activity, and report any incidents to the appropriate authorities.