The New York City Department of Education has become the latest organization to disclose it had private data stolen as part of the far-reaching MOVEit file transfer software hack. In an email sent to parents on Sunday, the agency said the personal information of approximately 45,000 students, including in some cases social security numbers and birth dates, had recently been compromised. The Education Department said the personal information of staff was also accessed but did not share how many teachers and other personnel were affected.
“The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual,” the department said Sunday. “When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.”
The Education Department is one of many organizations affected by the MOVEit hack. Clop, a ransomware gang with suspected pro-Russian ties, claimed responsibility for the cyberattack in early June. The group took advantage of a zero-day vulnerability in the enterprise file transfer software to breach the servers of “hundreds of companies,” including the largest US pension fund. The scale of the New York City Department of Education breach is small compared to some of the other victims caught up in the hack but is notable for including the personal information of minors. In an interview with Bleeping Computer, the Clop gang claimed it would erase any data it obtained from governments, the military and children’s hospitals. It’s unclear if the group includes student data in that final category.