ATLANTA — The University System of Georgia said cybercriminals "likely" gained access to unauthorized data via a possible security breach in its software system.
The potential breach is linked to the USG's MOVEit Security File Transfer and Automation software, which is used for storing and transferring sensitive data, officials said.
Progress Software, the company which created MOVEit, said a zero-day defect in its software -- a vulnerability in an application or operating system that is unknown to the software maker -- potentially allowed cybercriminals access to prohibited information stored inside the MOVEit repositories stored at several sites.
Those two sites included the University System of Georgia and the University of Georgia, a USG spokesperson said.
After finding out about the potential breach, USG officials said they moved quickly to apply Progress Software's recommendations which limited internet access to MOVEit software and applied newly-developed patches in order to "rectify the defective code."
USG said its cybersecurity experts are working to determine the extent of the possible exposure and let those affected by the issue know if their data has been breached.
Patrick Kelley of Leagas Security based in Canton pointed out Thursday that the cybercriminals may have targeted universities in Georgia and elsewhere to steal research data--some of it related to the nation's defense.
"That's where some of the world's greatest and most impactful research takes place," Kelley said. "If you look at Georgia Tech, for instance, they have a world-renowned cybersecurity and nuclear research department. University of Georgia has similar... The scale of it is pretty enormous."
Kunal Anand, Chief Information Security Officer with the cybersecurity firm Imperva, said the so-called "Clop" ransomware gang was able to impact organizations and firms internationally by discovering vulnerabilities in Progressive Software's product.
"It is software that is used by some of the biggest organizations all over the world," Anand said, adding that universities that use the software are especially desirable targets.
"There's a significant amount of wealth, research and intellectual property that these colleges and institutions have," he said. "So it's not surprising for a hacking group to come in. And again, they're not doing it to steal grades, they're not doing it to steal people's GPAs. They're doing it to fundamentally extract key intellectual property.... In some cases, it's to steal information. In some cases, it's to get the organization to pay. And in other cases, it's just to create chaos and disruption."
Kelley said the potential impact of the breach goes beyond only the software's customers.
"This impacts companies that aren't even running the software," he said. "So if they're transferring their data from one company to a vendor and that vendor is using MOVEit, then that original company, even though they're not running it at all, is impacted. And then that continues to affect consumers and users."
A class action lawsuit was filed against Mercer University on June 5 after more than 93,000 people were impacted by a data breach, according to court records. The lawsuit alleges a "failure to properly secure and safeguard" personal information for all those affected by the breach.