Three third-party organizations associated with Stony Brook University, the National Student Clearinghouse (NSC), the Teachers Insurance and Annuity Association (TIAA), and Corebridge Financial (formerly AIG) have informed us that they were impacted by a global cyberattack involving software used to transfer student and employee data. Student data is sent to the NSC for the National Student Loan Data System (NSLDS) as required by the U.S. Department of Education. Data for some employees is sent to TIAA and Corebridge Financial to support retirement services.

The cyberattack has already impacted hundreds of organizations worldwide and the list of victims continues to expand. The criminals exploited a vulnerability in a widely used file-transfer software called MOVEit. This vulnerability allowed hackers to access private information stored within the victim organization’s IT systems. We have been notified that confidential information belonging to Stony Brook University students, staff and faculty members may have been compromised. The type and extent of the data accessed by the cybercriminals is not yet known, but we have been advised that the impacted organizations will notify you personally in due course if your information was affected.

Things You Can Do to Protect Yourself

1. Be extra vigilant: It is possible that cyberattackers may leverage stolen personal information from this attack to craft convincing phishing attacks in the coming weeks and months. An email, notice, or text message containing accurate information about you or one of your accounts is not enough to verify authenticity. Verify the source of a message before responding. Take note of how to identify a phishing attack. Phone calls may also be used to obtain personal or financial information.
2. Monitor your financial accounts and credit: It is always wise to monitor your credit report for unusual activity. Consider putting a credit freeze in place to frustrate would-be scammers if you believe you are being targeted. 
3. Secure your accounts: Remember to enable two-factor authentication and to use long passphrases for all of your accounts. Never give someone your password or a two-factor code if asked for it, even if they claim to be from a trusted organization.

We are monitoring the situation closely and we are committed to providing relevant updates as the situation develops. If you have any questions or concerns, please contact us at privacy@stonybrook.edu.

Thank you for your patience and understanding.

Lawrence M. Zacarese
Vice President, Enterprise Risk Management
Chief Security Officer

Matt Nappi
Assistant Vice President, Division of Information Technology
Chief Information Security Officer