The sensitive personal data of about 45,000 New York City public school students, as well as New York City Department of Education (DOE) staff and related service providers were compromised in the worldwide MOVEit file transfer software hack, the DOE announced on Friday.
The types of data impacted include approximately 9,000 Social Security Numbers, birth dates and employee ID numbers.
“Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate,” New York Public Schools said in an announcement on Sunday. “We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.”
The DOE said it is still trying to determine who specifically was affected. Students whose confidential information was compromised will be contacted this summer and will be offered identity monitoring services.
New York City Public Schools is just the latest organization to announce that it was the victim of the worldwide MOVEit file transfer software hack. Many other organizations have been impacted, including Johns Hopkins University, the University System of Georgia, UCLA, the University of Rochester, the U.S. Department of Energy’s Oak Ridge Associated Universities and a Waste Isolation Pilot Plant in New Mexico, reports Tech Crunch. Other organizations impacted include the BBC, Shell, Louisiana’s Office of Motor Vehicles, British Airways, Boots, Genworth Financial, the California Public Employees’ Retirement System, Siemens, and Schneider Electric. Most of the attacks began around May 27-28 and were probably timed to take advantage of the long Memorial Day weekend, reports Bank Info Security.
Experts believe the attacks are being carried out by the Clop ransomware gang, which is believed to have pro-Russian ties. The FBI is currently investigating the breaches.
CS sister publication, MyTechDecisions.com, published guidance on how organizations can prevent MOVEit exploitation of their networks. The article can be read here.