Data breach exposes personal information of Idaho college students, employees
A data breach has exposed personal information of students and employees at seven of Idaho’s public colleges, the State Board of Education said Friday.
The exposed data includes first and last names, addresses, birthdays and Social Security numbers of employees of Boise State University, the University of Idaho, Idaho State University, Lewis-Clark State College, and three community colleges: the College of Western Idaho, College of Southern Idaho and North Idaho College, according to a news release.
It’s unclear if the same types of personal information, like Social Security numbers, were exposed for students, and it’s unclear how many people were affected by the breach, said Mike Keckler, chief communications and legislative affairs officer for the board.
A hacker discovered a vulnerability in third-party file-transfer software used by the National Student Clearinghouse and Teachers Insurance Annuity Association of America, the release said. The hacker exploited the weakness to access and download personally identifiable information from both organizations.
Higher education institutions authorize the clearinghouse to share enrollment and degree data with “entities that have a direct relationship with students,” according to the release. The insurance association is one of two companies that manages the board’s retirement plans for faculty and staff in Idaho.
According to a webpage the clearinghouse posted about its response to the breach, its systems have since been patched. It’s investigating the breach with a cybersecurity company.
The software vulnerability didn’t affect internal systems of the insurance association, the release said. People affected will receive a letter from the association offering free credit monitoring for two years.
The clearinghouse first notified the State Board of the breach in June, Keckler said. The board will decide what action to take after it learns more, he said.
“This is a third-party vendor,” Keckler said by phone. “We’re just waiting for more information.”
No systems managed by the board or Idaho’s schools were breached, the release said.