MIDDLEBURY — Undoubtedly, the internet has shrunk the distance between people in different parts of the world, enabling places like Middlebury College to reach to and share ideas and educational information with people almost everywhere.

Unfortunately, that interconnectedness has also shrunk the distance between a thief and the valuable information at a place like the college.

That second point has been emphasized at least three times already this year as hackers have stolen Middlebury College information. And in some cases that data was not stolen directly from Middlebury, but from third parties who also held the information.

“This is not the first time a platform has been exploited, and it will certainly not be the last,” said Brett Callow, a threat analyst at the international cybersecurity firm Emisoft. 

“While it’s possible for organizations to reduce their risk level, perfect security is impossible to achieve,” Callow added. “Consequently, it’s critical that organizations have emergency response plans in place, not only in relation to potential compromises within their own infrastructure, but also within their supply chains.”

The most recent incident came to light in June, when it was widely reported that hackers (likely in Russia) had broken into systems using the MOVEit transfer software and stolen data from widely dispersed computers. On June 29, Middlebury College announced in a security notice that student and staff data had been exposed because of the MOVEit hack. Emisoft, the cybersecurity and anti-virus software company, reported that, as of Aug. 18, some 728 organizations had been affected by the MOVEit security hole. The company continues to update this statistic daily.  

UCLA, Stony Brook University, Trinity College, British Airways, and the U.S. Departments of Health & Human Services and Energy are but a few of the institutions that have also experienced exposures. 

This incident comes on the heels of two other cybersecurity incidents the college fell victim to earlier in the year, none of which have been isolated to the college.  

On April 9, Middlebury was part of a wave of swatting spam calls that also claimed Boston, Syracuse and Wake Forest universities. “Swatting” is when someone convinces police to intervene in a made-up incident, thus putting innocent people in danger of police overreaction. In Middlebury, someone called in, from a fake phone number or disguised computer, to report an active shooter at Davis Family Library. Law enforcement guarded students in the library, while their peers elsewhere on campus enforced self-mandated lockdowns. This went on for roughly an hour and a half until the college officially alerted students using a college-wide notification system.

That followed in incident in February when data collected by online box office software called AudienceView was stolen. Like many higher education institutions nationwide, Middlebury used this software, and the college released a security notice on this incident. 

The platform collects payment information for box office ticket purchases. Some individuals had this information stolen as a result of the incident. 

Middlebury College has since switched to another provider, Eventbrite, for its online box office.

It’s unclear how much damage the MOVEit hack caused to Middlebury College.

Like most institutions, Middlebury was unwilling to provide details or comment beyond its official June 29 releases. The college community — student and employees — was notified about the breach through a general email as well the aforementioned security notice.

According to both, student data exposures would have occurred through the National Student Clearinghouse (NSC). While Middlebury College doesn’t directly use the MOVEit transfer software, it employs NSC, which is a MOVEit subscriber. 

“NSC provides educational reporting, data exchange, verification, and research services to many higher education institutions,” according to the June 29 notice. 

The data compromised via Middlebury’s link to the organization has been categorized as “personally identifiable” by the college.   

Loyola University in Chicago, another college that saw data compromised through NSC, wrote in a July 10 statement similar to Middlebury’s that the organization has access to “students’ social security numbers, but not … any financial account information.”

In its statement on the incident, the NSC wrote that alumni data also might have been exposed. 

Colorado State University, another victim of the breach, reported in a statement that “students dating back to at least 2021” might have been included in the data exposure. 

Middlebury’s security notice doesn’t indicate whether these three details are true for the institution as well. 

Exposure of Middlebury College staff data would have occurred through TIAA Financial Services. The data that Middlebury provides TIAA was compromised through a TIAA link to a third organization that employs the MOVEit software. 

“TIAA is a financial organization that provides investment and insurance services for those working for organizations in the nonprofit industry in academic, research, medical, government, and cultural fields,” reads the college’s security notice. 

According to an Emisoft blog post, this was the fourth-most frequent organization from which victims had data exposed as a result of the incident.

TIAA gave confusing information. It initially seemed to confirm that Middlebury College data was included in the exposure, but then was unclear on further inquiries and didn’t respond to further direct yes or now questions.

In an email to the Independent, an organization spokesperson stated, “A TIAA vendor, Pension Benefit Information (PBI), experienced a third-party cybersecurity incident involving the MOVEit Transfer software owned by Progress Software and used by PBI for file transfers.”

When asked to confirm if Middlebury College data was or was not exposed, another organization spokesperson said, “We have not observed any related unusual activity from this event involving TIAA accounts,” but did not provide confirmation regarding Middlebury data.  

At press time, the organization had not responded to follow-up requests to confirm whether Middlebury College data was exposed.

Callow, the cybersecurity analyst, urges institutions and individuals to take steps that they can to reduce the chances that their personal information falls into the wrong hands, but notes there is always risk. 

“As individuals, there is really nothing we can do to insulate ourselves from the impact of incidents such as this,” he said. “We need to share data with organizations, and there’s a risk that that data will be compromised. Probably the best advice is simply to be cautious. Always monitor accounts for unusual activity, use multi-factor authentication everywhere it can be used, and be cautious about emails and texts.”