National Student Clearinghouse, Progress Software Corporation Facing Class Action Over May 2023 MOVEit Data Breach [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

National Student Clearinghouse (NSC) faces a proposed class action over its alleged failure to secure consumers’ private information during a May 2023 data breach targeting MOVEit, a file transfer platform owned by third-party IT vendor and co-defendant Progress Software Corporation (PSC).

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 47-page lawsuit says NSC, an educational nonprofit, was informed by PSC on May 31, 2023 that an unauthorized party had accessed certain files from the MOVEit tool containing sensitive information entrusted to the organization by students. According to the case, an investigation by NSC revealed that on or around May 30 of this year, a notorious ransomware gang known as Cl0p stole files related to 890 schools using the nonprofit’s services.

Information reportedly exposed in the cyberattack includes names, dates of birth, contact details, Social Security numbers, student ID numbers, and certain school-related records such as enrollment records, degree records and course-level data, the case relays.

“Armed with the Private Information accessed in the Data Breach, data thieves can and likely have committed a variety of crimes and bad acts,” including identity theft and fraud, the suit stresses.

Related Reading: 2023 MOVEit Data Breach Lawsuits

The complaint alleges that both NSC and PSC disregarded the privacy rights of consumers by “intentionally, willfully, recklessly, or negligently” failing to implement reasonable cybersecurity measures. Per the suit, PSC left private information on its computer systems “unsecured and unencrypted,” and NSC was responsible for ensuring that any third parties it hired maintained adequate data security.

Investigations into Cl0p’s attack on MOVEit—which has reportedly affected over 2,000 government and corporate entities—show that the group had been experimenting with ways to exploit a vulnerability in the software as far back as 2021, the case says.

The filing goes on to note that NSC waited over two months after it confirmed its involvement in the breach to begin notifying affected individuals in late August, giving cybercriminals a “head start on using [the plaintiff’s] and the Class’s [private information] for nefarious, commercial purposes.”

The lawsuit looks to represent anyone in the United States whose private information was exposed in the data breach involving National Student Clearinghouse and Progress Software Corporation.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.