University System of Georgia Breach: 800k Affected

Nearly 800,000 individuals linked to the University System of Georgia (USG) have had their personal data exposed in a cyberattack involving the MOVEit software, a secure file transfer solution used by industries across the globe. The breach, which first came to light in May 2023, is one of many similar incidents orchestrated by the Clop ransomware group, who exploited vulnerabilities in the MOVEit software to steal data.

USG disclosed this breach in April 2024, nearly a year after the initial attack. The data accessed by cybercriminals included highly sensitive information such as full social security numbers, dates of birth, bank account numbers, and federal income tax documents. In a data breach notice, USG explained, "The files and information obtained by this cybercriminal group will likely be published on its website," exposing the severe privacy risks posed to the affected.

In response to the breach, USG has updated and secured its MOVEit file transfer solution. It's also offering affected individuals 12 months of complementary identity protection and fraud detection services through Experian.

The incident at USG is part of a broader series of attacks by the Clop group, which has affected nearly 900 educational institutions, including prominent universities like Harvard and Stanford, as noted by SiliconANGLE. All these institutions were compromised via the same vulnerability in the MOVEit software, a critical bug officially designated CVE-2023-34362, which allowed unauthenticated remote attackers to execute SQL injections.

However, the MOVEit cyberattacks didn’t only affect educational institutions —- they spread far beyond that, impacting a multitude of sectors across the world. The attacks successfully breached sensitive Medicaid data from Missouri, the personal health information of 1.7 million Oregon residents, major corporations like British Airways and the BBC, and even the personal details of users of the system maintenance app, CCleaner.