Indiana University is investigating the potential impact on students, current and former employees, donors, and retirees of IU and the IU Foundation resulting from a nationwide data breach traced back to MOVEit, a file transfer software used by outside organizations.

Records exposed by third-party contracted vendors Teachers Insurance and Annuity Association, TIAA Kaspick and the National Student Clearinghouse included personal information such as names, birthdates and Social Security numbers.

Indiana University and the IU Foundation do not use MOVEit, and no IU or IU Foundation systems were affected by the breach. For IU-connected individuals impacted by the breach, they can anticipate receiving direct outreach from TIAA, TIAA Kaspick or the NSC regarding available resources, options, information and next steps.

For more information on how IU employees can proactively protect, and secure personal information online, visit our the university’s Online Account Security resource.

Students

The National Student Clearinghouse, which manages student data for verification and reporting services for most universities across the nation, is working with leading cybersecurity experts to assess the impact and promptly take measures to further protect its data and systems. People impacted will receive communication from the NSC once it has identified individual records in collaboration with the IU Information Security Office. At this time, the NSC has assured IU that recently exposed data is no longer at risk of being extracted.

IU Foundation donors

Pension Benefit Information LLC, a subcontractor of TIAA Kaspick and administrator of the IU Foundation charitable trusts and annuities, has assured TIAA and the IU Foundation that all recently exposed data is no longer subject at risk of being extracted. Data included in the exposure was limited to name, date of birth and Social Security number; no bank account information was ever sent to PBI or exposed due to this incident.

PBI is continuing to monitor their systems and has implemented enhanced controls following this incident. If impacted, you will receive a letter from PBI with further information.

IU Foundation staff (current, past and retired)

Pension Benefit Information LLC, a subcontractor of TIAA and administrator of the IU Foundation retirement plan, has assured TIAA and the IU Foundation that all recently exposed data is no longer at risk of being extracted. They are continuing to monitor their systems and have implemented enhanced controls following this incident. If impacted, you will receive a letter from PBI with further information.

IU staff (current and past employees)

While TIAA is no longer a university retirement services vendor, many current and former employees, as well as retirees, still maintain accounts. TIAA is actively working with the third-party vendor to ensure impacted individuals are notified of the breach and of their eligibility for free credit monitoring.

This information will come directly from TIAA and/or its vendor partner PBI. Contact TIAA at 800-842-2252 with questions.

Please note IU’s current retirement vendor, Fidelity, does not use MOVEit and was unaffected by the breach.