The New York City Department of Education (DOE) was breached via the MOVEit transfer bug, exposing the personal details of around 45,000 of the city’s students.
The DOE’s incident notice shared the news, saying that the sensitive data of students, staff, and related service providers were exposed in the hack
The department patched the flaw within hours of learning about it and took the servers offline. Like many other organizations, the DOE was victimized when attackers exploited the MOVEit transfer bug, enabling them to access and download the data stored there.
“Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included),” the DOE said.
The department continues to investigate the issue to determine what type of confidential data was exposed and what impact the breach had on each affected individual. Once the investigation is complete, the DOE said it will inform each affected person.
“The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate,” the DOE said.
Why is the MOVEit zero-day important?
The Russia-linked Cl0p ransomware gang has taken credit for exploiting the MOVEit zero-day bug. They claim to have breached hundreds of companies in the process. Experts we’ve spoken to say that around 3,000 deployments of the MOVEit application were active when the flaw was first discovered.
Cl0p has been posting victims’ names on their dark web leak site since June 14th, with Shell Global, Telos, Norton LifeLock, and tens of others uploaded so far. The extent of the exposed data depends on how a certain company uses the file transfer system.
Cl0p operates under the Ransomware-as-a-Service (RaaS) mode, which means that it rents the software to affiliates for a pre-agreed cut of the ransom payment.
The gang employs the “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data into its data leak site if the ransom is not paid.
More from Cybernews:
Subscribe to our newsletter