(September 11, 2023) Update on Third-Party Vendors Data Breach
Lansing Community College has been notified that the National Student Clearinghouse (NSC) was victim to a cybersecurity incident. LCC does not use the MOVEit software, and its own systems were not part of this security incident.
NSC is a national nonprofit that collects enrollment and other student data from many colleges and universities, and LCC uses NSC for student financial aid compliance purposes. NSC uses a third-party software tool, MOVEit Transfer, which contained a vulnerability that was exploited by an unauthorized party. LCC was informed by NSC that, as of August 16th, 2023, the only LCC-related data compromised were student names and students’ affiliation with LCC. LCC has been assured that no other information was accessed and that there was no compromise of personally identifiable information.
NSC intends to directly contact individuals whose personally identifiable information was affected by this incident (for example, individuals whose Social Security Numbers or financial account information were accessed). Additional information can be found at: https://alert.studentclearinghouse.org/. Because the affected information relating to the LCC community is not considered confidential personally identifiable information, LCC community members should not expect to hear further from NSC regarding the incident.
The safety of our community remains a top priority. LCC will continue to monitor this and other third-party security incidents that may affect information affecting the LCC community. We also encourage you to take precautionary steps to protect your own personal information from scams and identity theft. You should continue to practice good cybersecurity practices such as: keep software and hardware up to date, beware of suspicious emails, use anti-virus, VPN, and firewall software, use strong unique passwords, enable multifactor authentication where available, and backup your critical information.
If you have any questions or need further information, please contact the LCC Help Desk at 517-483-5221 or via e-mail at lcc1@lcc.edu.
(August 9, 2023) Update on Third-Party Vendors Data Breach
The Hartford Investment Group has advised LCC that no LCC employee data was affected by recent data security incidents involving MOVEit file transfer software vulnerability. LCC does not use the MOVEit software, and its own systems were not part of this security incident.
Third-Party Vendors Victim of Data Breach
LCC has recently been made aware of data security incidents involving some of its third-party vendors that were impacted by the MOVEit file transfer software vulnerability. LCC does not use the MOVEit software, and its own systems weren't part of this security incident.
The following vendors have contacted LCC to advise that information for some LCC employees and students may have been involved in data security incidents relating to this vulnerability: TIAA (Teachers Insurance and Annuity Association of America), the Hartford, and National Student Clearinghouse (NSC). TIAA is a financial provider for educators and academics. LCC uses Hartford to provide insurance services. The NSC is a national nonprofit that collects enrollment and other student data from many colleges and universities, and LCC uses NSC for student financial aid compliance purposes. TIAA and the Hartford both use vendor PBI Research Services, which used the MOVEit Transfer software that was exploited as part of this incident. It is our understanding that each of these vendors have contacted law enforcement, initiated an investigation, patched the vulnerabilities, and secured their networks. They are now operational again, are investigating the security incidents, and plan to provide updates when they are available.
LCC will continue working with its third-party vendors to learn more about the potential exposure of personal data, and more specifically to identify who within the LCC community was impacted and what information was involved. It is our understanding that these vendors are sending affected individuals a letter by mail in the coming weeks with additional information.
LCC will continue to monitor this situation and will provide updates as more information becomes available.
If you have any questions or need further information, please contact the LCC Help Desk at 517-483-5221 or via e-mail at lcc1@lcc.edu.
(June 29, 2023) Notice of Data Event
On or around March 14, 2023, Lansing Community College (“LCC”) became aware of suspicious activity on its computer network. LCC immediately launched an investigation, with the assistance of third-party computer specialists. Through the investigation, LCC determined that, between December 25, 2022 and March 15, 2023, an unauthorized actor may have had access to certain systems. In an abundance of caution, LCC reviewed the information on those systems to confirm what information is contained within, and to whom it relates. This process was completed on May 24, 2023. Although LCC has no evidence of any identity theft or fraud in connection with this incident, LCC is notifying individuals whose information was present in its systems at the time of the incident by letter. This letter includes specific detail as to the data potentially accessible for each person.
LCC notified federal law enforcement and is cooperating with its investigation. LCC also notified the U.S. Department of Health & Human Services’ Office for Civil Rights and relevant state authorities. Individuals who have questions about this incident can contact our dedicated call center at 1-866-547-5959 between 9:00 a.m. to 6:30 p.m. Eastern Time, Monday through Friday, except holidays.
LCC encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity. LCC is providing potentially impacted individuals with contact information for the three major credit reporting agencies, as well as providing advice on how to obtain free credit reports and how to place fraud alerts and credit freezes on their credit files. The relevant contact information is below:
Equifax
P.O. Box 105069
Atlanta, GA 30348
1-888-298-0045
www.equifax.com
Experian
P.O. Box 9554
Allen, TX 75013
1-888-397-3742
www.experian.com
TransUnion
P.O. Box 2000
Chester, PA 19016
1-800-916-8800
www.transunion.com
Potentially impacted individuals may also find information regarding identity theft,
fraud alerts, security freezes and the steps they may take to protect their information
by contacting the credit bureaus, the Federal Trade Commission or their state Attorney
General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW,
Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.
Instances of known or suspected identity theft should also be reported to law enforcement
or the individual’s state Attorney General.