Personal data of over 45,000 public school students was compromised in a breach involving the file-transfer software MOVEit, according to a community letter sent to families and staff by the New York City Department of Education.
“DOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third party special education service providers,” the letter said.
The breach is the latest expoit of a SQL injection vulnerability found in MOVEit Transfer, a widely used file transfer software by Progress Software.
Documents exposed before patching
Although the New York City DOE, with the help of the NYC Cyber Command, fully patched the software hours after learning of the vulnerability, there were already 19,000 documents accessed without authorisation, the DOE’s internal investigation revealed.
The servers have been taken offline out of caution, according to Emma Vadehra, the chief operating officer of the DOE. “Currently, we have no reason to believe there is any ongoing unauthorised access to DOE systems,” she added.
Preliminary results from the internal investigation also revealed that approximately 45,000 students, excluding DOE staff and related service providers, were affected.
Types of data impacted include Social Security numbers and employee ID numbers.
MOVEit vulnerability hit by many exploits
The file-transfer vulnerability had been exploited in the wild well before Progressive Software sent out a notification about it on May 31. MOVEit customers were advised to check for indicators of unauthorised access over at least the prior 30 days, which implied that attacker activity was detected before the vulnerability was disclosed.
Within days of the notification, the Clop ransomware gang was reported to have hit at least three US government agencies by exploiting MOVEit file-transfer flaws. The State Department offered a $10-million reward for proof of Clop links to a foreign government.
The community letter by DOE gave assurance that it will help those affected by the breach, promising to follow up with notifications to individuals with instructions on how to deal with any compromise of personal data. Additionally, they will be offered access to an identity monitoring service.
The DOE also revealed that the FBI and the New York Police Department are investigating the breach, and they are waiting for further details from the investigation.