College kids should review passwords and credit amid massive Progress software data breach

Krystal Nurse, USA TODAY
Updated ·6 min read

A data breach affecting nearly 200 colleges and universities is causing some students to feel uneasy as the semester starts and experts urge them to safeguard their information and credit.

Progress, a software development company, announced in May that unauthorized users exploited vulnerabilities in its MOVEit Transfer and MOVEit Cloud programs. The company released a security update days later, but not before Cl0p, a hacker group, gained unauthorized access to people's personal information, the U.S. Department of Homeland Security announced in June.

The breach particularly hit higher education institutions, as they tend to use multiple second-party websites to offer health insurance for students, such as UnitedHealthcare, and to verify people's degrees, such as the nonprofit National Student Clearinghouse. Those two websites rely on the MOVEit software to relay information to higher education institutions about current and past students.

Incoming freshmen walk through campus after moving into dormitories at University of Colorado Boulder on Aug. 18, 2020.
Incoming freshmen walk through campus after moving into dormitories at University of Colorado Boulder on Aug. 18, 2020.

KonBriefing, a market research company focused on informational technology, said the ransomware attack affected an estimated 179 colleges and universities in 41 states as of last week. The attack happened weeks after College Decision Day, May 1, and in between college graduations, impacting current and former students.

Gabby Sabo, 20, told USA TODAY she had no choice but to give Michigan State University her Social Security number, financial information, address and birthday during the application and enrollment process. She doesn't know if the breach affected her, but it eroded the trust she has in higher education.

"They should do a better job because they have a lot of information on everyone because you have to give your social security number," Sabo said.

The Massachusetts Office of Consumer Affairs and Business Regulation said college students are more susceptible to identity theft because students are often unaware of how to protect themselves when they get credit offers or requests to access said information.

The National Student Clearinghouse said on its website information from past and current students' records could've been exposed. UnitedHealthcare Student Resources said in July, a combination of students' birthdays, ID numbers, Social Security numbers and insurance information may have been exposed. Both UnitedHealthcare and National Student Clearinghouse said security updates were made to the systems.

Current, former students concerned about data security

Students at Michigan State University recently told USA TODAY their perceptions of how well the university manages their information has changed because of the breach. Many learned about it in the fall despite the university's July alert.

Charles Cabell, 19, said he doesn't know if his information was accessed, but wouldn't be surprised as "everything is at your fingertips" with the internet.

Cabell has been in "many minor data breaches," including Facebook's 30 million-person hack in 2018 and Equifax's 145 million-person breach in 2017, he said.

Daniella Choi, 18 from Los Angeles, pulls a suit case up to her dorm building as she moves in on campus at the University of California, Berkeley on Aug. 16, 2021.
Daniella Choi, 18 from Los Angeles, pulls a suit case up to her dorm building as she moves in on campus at the University of California, Berkeley on Aug. 16, 2021.

Progress' breach exposed personal information about students

Progress doesn't know what data was accessed in the attack because MOVEit Transfer is an on-premise software that runs on its clients' computers, according to MOVEit's information page. Spokesperson John Eddy equated it to a person having a Windows computer, but Microsoft doesn't see what files are installed.

The U.S. Department of Education said all affected institutions were alerted about the incident more than two months ago. A spokesperson told USA TODAY the department monitors and tracks cybersecurity incidents but declined questions about how often the incidents occur.

In its 2023 Cost of Data Breach report, IBM said breaches, so far, cost the education industry $3.65 million this year, down from $3.86 million in 2022. The report ranked education 11th out of 17 other industries in terms of the highest cost of a data breach – health care ranked first at $10.93 million so far this year, double the cost of the second-place financial industry.

"People could try to take out loans using that information, attack bank accounts depending on what they have about you and socially engineer you and impersonate you," said Fred Scholl, a cybersecurity professor at Quinnipiac University in Connecticut.

Jennifer Kraut, 52, of Bay City, Michigan, is the parent of a 21-year-old college student and said the digital age has made it more difficult for people who don't like to share personal information.

"I'm not sure really what choice we have," she said. "Living in the electronic age that we live in, I think you just have to put some trust in the system."

A class-action lawsuit has been filed against Progress for what filers alleged is negligent handling of personal data in Massachusetts. Progress declined to comment on the lawsuit.

UnitedHealthcare said affected people will receive a form of credit monitoring and identity theft protection services. National Student Clearinghouse has no mention of similar offerings on its website.

The timing of the data breach, which Progress has said happened at the end of May, made recent college graduates like Connor Zagumny, 22, vulnerable.

"Nothing is secure enough except for maybe pen and paper, but we can't do that these days," Zagumny told USA TODAY.

Students at Palomar College in San Marcos, Calif., listen to experts during special lectures on timely, diverse topics.
Students at Palomar College in San Marcos, Calif., listen to experts during special lectures on timely, diverse topics.

Experts: Monitor your credit, password usage

Class-action lawsuits could hold businesses accountable if a court finds them negligent. But Scholl said people don't have to wait to perform basic security checks on their banking and social media accounts.

"To some extent, individuals have to be their own human firewall to protect their data," he said.

To do that, Charles Henderson, head of IBM's X-Force, a data security response team, said people should set up a password manager and store all passwords in it. He said many will alert users if a website has been involved in a data breach and prompt people to change their passwords. However, he said many people fall victim to reusing passwords, which he classified as a massive security issue.

Experts have advised people to turn on and use two-factor authentication wherever possible. The Federal Trade Commission compares it to adding a second lock on a door: People cannot enter with a password alone. It requires PINs, a biometric screen, or login verification from a device before accessing the account.

A smartphone being held in a hand displaying a credit report against a blue background.
A smartphone being held in a hand displaying a credit report against a blue background.

Michigan State University senior William Stark, 21, said his passwords are stored on his phone for convenience.

"The most important things, like Social Security, bank routing numbers, things like that, I do not keep digitally. I keep a hardcopy either printed out or written," Stark said. "But passwords, they don't necessarily mean much. It's all in the Notes app."

Michigan State University third-year college student Topher Smith, 20, told USA TODAY he's known about the data breach for a while and doesn't know if he's affected. After having his passwords exposed in LastPass' 2022 breach, he's keeping a close eye on his credit.

Students walk along the pedestrian walkway past the Haslam College of Business during the first day of the fall semester on the University of Tennessee's campus in Knoxville on Aug. 23.
Students walk along the pedestrian walkway past the Haslam College of Business during the first day of the fall semester on the University of Tennessee's campus in Knoxville on Aug. 23.

"I have ID Shield, which is a larger security-tracking company, but even then, I'm trusting some other external source with my information," Smith said.

The FTC recommends people use the three national credit bureaus – Equifax, TransUnion and Experian – to monitor their credit and set up fraud alerts.

"The short way of saying that is be aware of your digital surroundings," Henderson said.

Contact reporter Krystal Nurse at knurse@USATODAY.com.

This article originally appeared on USA TODAY: Amid Progress data breach, college kids should review passwords