Tens of thousands of public-school students and employees in New York City had their personal data stolen in the recent hack of the file-transfer software MOVEit, the city’s Department of Education revealed over the weekend.
According to the city’s preliminary investigation, personal information — including some Social Security numbers — belonging to 45,000 students and an unknown number of staff was affected by the breach, which has impacted a growing list of organizations around the world that use MOVEit to manage data transfers. New York City schools’ exposure also included 19,000 documents and an unspecified number of employee ID numbers.
The New York City Department of Education runs the nation’s biggest K-12 system, with more than 1.1 million students across about 1,800 schools.
Officials said not all victims had the same types of data stolen — for instance, only 9,000 Social Security numbers have been counted in the breach, though they are still assessing the full scope of the exposure. The New York Police Department and FBI are among the agencies investigating the incident.
Like other MOVEit customers, the New York City Department of Transportation used the software to move volumes of data both internally and to and from vendors, including special education service providers.
According to a statement released Saturday, Department of Education IT staff and New York City Cyber Command disconnected MOVEit “within hours” of being notified that hackers associated with the ransomware gang Cl0p were exploiting a previously unknown vulnerability in the file-transfer program. That vulnerability was first disclosed to customers on May 31 and publicized by U.S. cybersecurity authorities on June 7. MOVEit’s publisher, Progress Software, has since disclosed two additional vulnerabilities and offered patches.
New York officials said they installed the relevant patches and have kept their MOVEit server offline.
“Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems,” the statement reads.
Including New York City schools, at least 106 organizations worldwide have confirmed their exposure to the MOVEit hack, according to Brett Callow of the antivirus company Emsisoft. Other U.S. public-sector victims include the Minnesota Department of Education, motor-vehicle agencies in Louisiana and Oregon, the Maryland Department of Human Services and the California Public Employees’ Retirement System, the country’s biggest pension fund.
MOVEit is also the second widespread vendor breach in as many years to ensnare the New York City Department of Education. Last year, hundreds of thousands of student records going back more than half a decade were exposed in a cyberattack against Illuminate Education, which provides grading and attendance records.
While the Cl0p group has started posting files stolen from several of MOVEit’s private-sector customers on its extortion website, the ransomware gang claims it is not posting data taken from government or education victims.