Third-Party Data Breach at Bellevue College Raises Account Security and Data Privacy Concerns for Students and Faculty

Bellevue College // The Watchdog.

The Bulldogs FYI reported at the end of its Aug. 2 statement that Bellevue College was part of a third-party data breach from MOVEit, a file transfer software. The college is trying to obtain more information from the organizations that alerted them of the problem: National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association (TIAA), an insurance company.

“Once we obtain additional information from NSC and TIAA, we will notify those impacted by this breach as to who was affected and what information was accessed,” the FYI website reads. The website will be updated and students will be informed once this information is retrieved but there have still been no updates about this in the last nine days.

According to a source linked in the FYI article, more than 15.5 million people have had their personal data hacked, all linked to the hackers “exploiting a security vulnerability in the MOVEit file transfer tool.” Some of these breaches have been linked back to a Russian hacking group called Clop. This ransomware group has a history of exploiting the MOVEit software. Even the oil company Shell confirmed that it was hacked by Clop back in June.

Identity theft is a risk with data breaches, although a data breach doesn’t automatically mean that your identity has been stolen. According to the Federal Trade Commission, identity theft is “when someone uses your personal or financial information without your permission.” The purpose of identity theft is usually to use your credit cards to purchase items, activate new credit cards, open an account in your name or use your medical insurance. 

Over this year, Bellevue College has shown ongoing efforts to prioritize data and account security for students and faculty.

On May 16, Bellevue College ITS Service Desk informed the campus, “There have been recent malicious attempts to impersonate members of the Bellevue College President’s Office via text messages sent to personal devices.” 

On June 19, Bellevue College ITS Service Desk announced through email that ctcLink and NetID accounts would be enrolled in Multi-Factor Authentication (MFA). 

On July 24, Bellevue College ITS Service Desk emailed that there was an increase in phishing within the BC Outlook email. BC has advice for spotting phishing, such as getting an email from a “BC employee,” but they have a name you don’t recognize and an email address not ending in @bellevuecollege.edu.

On July 27, Bellevue College ITS Service Desk sent out an email about adding MFA to employee Virtual Private Networks (VPNs). They stated that this is part of an “ongoing commitment to prioritize account security and safeguard our valuable data.” 

Could all of these incidents be related to the MOVEit file transfer breach, or is this just the typical experience as a student online?