The Minnesota Department of Education announced Friday that personal information pertaining to about 95,000 students was breached as part of an ongoing and global exploit of a popular file-transfer system.
Hackers from the ransomware group known as CL0P recently exploited a previously unknown vulnerability in the file-transfer software MOVEit, which the group has said it has used to breach “hundreds of companies” since May 31.
An initial investigation by the Minnesota IT Services agency found 24 education department files that had been accessed through the MOVEit vulnerability. Those files contained information, shared between the Minnesota Department of Education and state Department of Human Services, on about 95,000 students who’ve been through the state’s foster care system, including names, demographic details and where they’ve been placed.
The Minnesota Department of Education said that no financial information was taken in the breach, and that no ransom demand has been posted. “Additional steps were taken to investigate and assess the impact of the breach, and to put additional security measures in place,” a press release read.
The CL0P group’s ongoing exploit of the MOVEit file-transfer service was the subject of an advisory last week from the FBI and the Cybersecurity and Infrastructure Security Agency. According to the agencies, the group started out as a ransomware-as-a-service outfit — in which a smaller team of programmers licenses their malware to “affiliates,” who then split any ill-gotten gains. The CLoP group has moved into also selling access to compromised networks, and it also runs a botnet specializing in phishing and financial fraud, the advisory read.
CL0P, which dates back to 2015, was previously linked to an exploit of the Accellion File Transfer Appliance in late 2020 and early 2021, which exposed data from many of that platform’s customers, including universities, hospitals and state government agencies.
CyberScoop reported that Censys, a company that tracks internet-connected devices, counted nearly 3,800 MOVEit Transfer hosts online as of June 2 across nearly a dozen countries, though largely located in the United States, the education, financial and government sectors. Previously known victims of the MOVEit exploit include British Airways and the BBC.
The ongoing campaign has some state governments scrambling to unplug from MOVEit. Acting Illinois CIO Sanjay Gupta said Friday that “within minutes” of the initial attack on May 31, the state Department of Innovation & Technology disconnected any associated systems and began a forensic analysis to determine how far the attackers were able to reach into state networks. The investigation is ongoing, officials said.
“DoIT’s Infrastructure and Security teams moved quickly to respond to the attack affecting Illinois’ network, evicting the attacker within three hours and verifying that the vulnerability could no longer be exploited in our system,” Gupta said in a press release. “We are working with all relevant authorities and will provide regular updates to the people of Illinois.”