Update as of July 25, 2023:
- TIAA notified the University that personal identifiable information of approximately 650 current and former employees may have been exposed through the MOVEit Transfer data breach. TIAA indicated that Pension Benefit Information, LLC, one of its vendors, was impacted by the incident. Affected individuals will receive a notification letter directly from Pension Benefit Information (PBI) via postal mail. The vendor is offering free credit monitoring for two years to each of the individuals impacted.
- NSC has informed Drake that personal data, which may include name, date of birth, and academic transcripts, of current and former students may have been breached. Impacted students and alumni will be notified via postal mail. Please read any notices you receive carefully.
This page will be updated as more information becomes available.
Original alert posted June 10, 2023:
Cybersecurity incident alert related to third-party breaches
Drake University has been notified by two of the University’s service providers, National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association (TIAA), that certain personally identifiable information and data of some members of our community may have been impacted by the MOVEit Transfer tool vulnerability that is affecting millions across the country. The scope and extent of this data breach is still under investigation. This message shares what we know to date.
MOVEit Transfer is a third-party software used by NSC to support the transfer of data files. Read an update from NSC that shares what files and data are suspected to be affected.
TIAA has stated that no information was obtained from TIAA systems. However, one of its vendors uses the MOVEit Transfer tool, and some participant data may have been exposed through that third party.
The University takes data privacy and security very seriously and is working diligently with its cybersecurity team as well as NSC and TIAA to determine the full scope of the incident and response. If it is determined that Drake community members were affected by this attack, appropriate action will be taken, including notifications.
It is important to note that Drake University systems were not impacted. Once notified of the breach, the University took immediate action to verify its systems were secure. As more information becomes available, we will provide updates on this page, in the OnCampus newsletter, and via email to faculty, staff, and students. In the meantime, we urge all campus community members to follow these steps to protect their information and stay safe online:
- Regularly monitor your credit score and online accounts.
- Use multifactor authentication (MFA) everywhere it is available. Using multiple factors to authenticate into an account makes it more difficult for hackers to access your accounts.
- Be vigilant in spotting phishing attacks. Don’t open or respond to suspicious or unsolicited phone calls, emails, or texts. If you believe you’ve been targeted by a phishing attack, see Reporting a Phishing Message (How-to).
- Consider placing a temporary credit freeze at no cost, as described in this US Government alert: https://www.usa.gov/credit-freeze. This will protect you in the event of any potential fraudulent attempts to open credit in your name.
