Two U.S. schools have confirmed that TIAA, a non-profit organization that provides financial services for individuals in academic fields, has been caught up in the mass-hacks targeting MOVEit file transfer tools.
Middlebury College in Vermont and Trinity College in Connecticut both released security notices confirming they experienced data breaches as a result of a security incident at the Teachers Insurance and Annuity Association of America, or TIAA. According to its website, TIAA serves over five million active and retired employees participating at more than 15,000 institutions and manages $1.3 trillion in assets in more than 50 countries.
Both of the security notices confirm that TIAA was affected by hackers’ widespread exploitation of a flaw in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software.
The mass-hack has so far claimed more than 160 victims, according to Emsisoft threat analyst Brett Callow, including the U.S. Department of Health and Human Services (HHS) and Siemens Energy. Only 12 of these victims have confirmed the number of people affected, which already adds up to more than 16 million individuals.
Trinity College, which uses TIAA as the record keeper for its annuity plan, said in a statement that while its own systems were unaffected by the MOVEit hack, “TIAA, with whom Trinity shares student employee data, has announced that its files may be impacted.” Trinity said that it shared Social Security numbers and dates of birth with TIAA.
Middlebury College said it had also been notified by TIAA, with whom it shares personally identifiable information, that data belonging to the college had been exposed due to the cyberattack. While it hasn’t confirmed exactly what types of data were accessed, Middlebury said it notified college “students, faculty, and staff” whose information may have been compromised in the breach.
Middlebury confirmed it was also impacted by a MOVEit attack on National Student Clearinghouse, which resulted in the exposure of student data.
While TIAA notified affected schools of its security incident, the company has yet to publicly acknowledge the incident. In response to a Twitter user questioning the company’s silence, TIAA responded saying that its offices were closed. TIAA has not responded to TechCrunch’s questions.
It’s not yet known how many organizations have been impacted as a result of the cyberattack on TIAA. TIAA has not yet been listed on the dark web leak site of the Russia-linked Clop ransomware gang, which has claimed responsibility for the ongoing MOVEit cyberattacks.