In a recent breach involving the file-transfer software MOVEit, personal data of more than 45,000 public school students has been compromised, according to a letter sent to families and staff by the New York City Department of Education (DOE). The DOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third party special education service providers.
The breach, which exploited a SQL injection vulnerability found in MOVEit Transfer, a widely used file transfer software by Progress Software, is the latest incident of its kind. The New York City DOE, with the assistance of the NYC Cyber Command, promptly patched the software hours after learning of the vulnerability. However, an internal investigation conducted by the DOE revealed that approximately 19,000 unauthorized accesses to 19,000 documents had already occurred.
As a precautionary measure, the servers have been taken offline. Emma Vadehra, the chief operating officer of the DOE, stated, “Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.” The initial findings from the internal investigation indicated that around 45,000 students were affected, excluding the DOE staff and related service providers.
The compromised data includes Social Security numbers and employee ID numbers, posing a significant risk to the affected individuals. The exploit of the MOVEit vulnerability was not a unique occurrence. Prior to the notification sent out by Progressive Software on May 31, the vulnerability had already been exploited in the wild. MOVEit customers were advised to check for signs of unauthorized access dating back at least 30 days, indicating that attacker activity was discovered before the vulnerability was disclosed.
Shortly after the notification, the Clop ransomware gang targeted at least three U.S. government agencies by exploiting the MOVEit file-transfer flaws. In response to these attacks, the State Department offered a $10 million reward for any evidence linking Clop to a foreign government.
The DOE has assured those affected by the breach that it will provide assistance. In addition to follow-up notifications with instructions on how to handle compromised personal data, affected individuals will be offered access to an identity monitoring service. The FBI and the New York Police Department are currently investigating the breach, and the DOE is awaiting further details from the investigation.
This breach highlights the importance of implementing robust security measures and promptly addressing vulnerabilities in software systems. The exposure of personal data, especially sensitive information like Social Security numbers, can have severe consequences for individuals. Organizations must prioritize cybersecurity and take proactive steps to protect sensitive data from unauthorized access or exploitation.
As the investigation into the breach continues, it is crucial for the DOE and other organizations to learn from this incident and take appropriate measures to prevent similar breaches in the future. Collaborating with cybersecurity experts, implementing regular vulnerability assessments, and promptly patching software vulnerabilities are essential steps to protect sensitive data and maintain the trust of stakeholders.