On July 24, 2023, Michigan State University (“MSU”) posted a notice on its website describing a third-party data breach that occurred at two vendors used by the University. In this notice, MSU explains that the Teachers Insurance and Annuity Association (“TIAA”) and the National Student Clearinghouse (“NSC”) both experienced data breaches related to the file transfer program MOVEit, resulting in the potential exposure of student and retiree data. Soon, those whose confidential information was impacted by the MSU vendor data breaches should receive data breach notification letters in the mail.

If you received a data breach notification discussing the vendor data breaches affecting Michigan State University, it is essential you understand what is at risk and what you can do about it. To be sure, the MOVEit data breaches at MSU’s vendors are a bit confusing to follow based on the various organizations involved; however, the end result is that confidential student and retiree information may have been leaked as a result of a vulnerability within MOVEit. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the Michigan State University data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breaches Potentially Affecting Michigan State University?

The Michigan State University data breaches were only recently announced, and more information is expected in the near future. However, MSU’s recent website notice entitled “MSU THIRD-PARTY VENDORS VICTIM OF DATA BREACH” provides some important information on what led up to the breach.

According to this source, Michigan State University relies on TIAA and NSC to perform certain services related to students and retirees. Both NSC and TIAA experienced data breaches stemming from the MOVEit vulnerability, although there are important differences between the two.

NSC uses MOVEit. Therefore, MSU student data that was provided to NSC by MSU may have been accessible through NSC’s MOVEit server.

TIAA does not use MOVEit; however, one of TIAA’s vendors, Pension Benefit Information, LLC, (“PBI”) does. Thus, the TIAA/PBI breach involves MSU retiree information that MSU provided to TIAA and TIAA then, in turn, provided to PBI.

The MSU notice notes that both NSC and PBI have set up webpages to address MOVEit-related concerns. Additionally, both PBI and NSC are still investigating the full impact of the incident and will provide notice to affected parties once the investigations are complete.

And, to be clear, MSU’s computer systems were not impacted by the breaches at either vendor. The potentially affected data was limited to that which was stored on the MOVEit servers belonging to NSC and PBI.

More Information About Michigan State University

Founded in 1855 as the Agricultural College of the State of Michigan, Michigan State University is a research university located in East Lansing, Michigan. MSU offers more than 200 academic programs through 17 colleges. More than 48,000 students attend Michigan State university, and the school has one of the largest alumni networks with 634,000 members. Michigan State University employs more than 12,000 people and generates approximately $1.7 billion in annual revenue.