MoveIT software vulnerability and third-party breaches 

In late May, Boston University became aware of a vulnerability in a file transfer software package called “MoveIT” made by Progress Software.  The federal Cybersecurity & Infrastructure Security Agency (CISA) released an advisory on this topic on June 1st.

Boston University is not a customer of MoveIT and was not directly affected by this vulnerability.

We have received notifications from three vendors that we work with that they have suffered data breaches because of this vulnerability that may impact portions of our community.  We take the protection of our community’s data seriously and are working with these vendors to ensure any individuals who are impacted are made aware of the breach.

The vendors that have notified us to date include:

  • NASCO, a subcontractor to Blue Cross Blue Shield of Massachusetts (BCBSMA) which had access to data for employees enrolled in BCBSMA health plans. Questions regarding NASCO can be sent to hr@bu.edu. Affected individuals will receive notifications directly from NASCO.
  • Pension Benefit Information (PBI), a subcontractor to both Fidelity Investments and Teachers Insurance and Annuity Association of America (TIAA), which had access to data for some select employees.  Questions regarding these vendors can be sent to hr@bu.edu. Affected individuals will receive notifications directly from these vendors.
  • National Student Clearinghouse (NSC), a nonprofit and nongovernmental organization and the leading provider of educational reporting, data exchange, verification, and research services, which had access to some student data. NSC has posted a public noticeabout this breach. As of July 13th, 2023, we do not have any more details than what is in the public advisory. We expect additional updates in coming weeks and will update this notice accordingly. On August 14th, 2023, we learned that a very small number of BU students were impacted. These students will receive notification from the University Registrar.