45,000 NYC Students Data Stolen in MOVEit Breach
According to the New York City Department of Education (NYC DOE), sensitive personal information belonging to approximately 45,000 students was compromised as hackers gained unauthorized access to documents stored on the MOVEit Transfer server. This compromised data includes Social Security numbers.
In addition to the student and staff information, the exposure of New York City schools encompasses approximately 19,000 documents and an unspecified quantity of employee ID numbers.
"We also conducted an internal investigation, which unveiled that certain DOE files were compromised. Ongoing examination of the affected files indicates that approximately 45,000 students, along with DOE staff and associated service providers, have been affected," stated NYC DOE COO Emma Vadehra.
The New York Police Department and the FBI are among the law enforcement agencies investigating the incident. According to the officials, the breach did not affect all victims in the same way. For instance, they have identified 9,000 Social Security numbers that have been compromised, but they are still evaluating the extent of the exposure.
NYC DOE utilized the managed file transfer (MFT) software for secure data and document transfers. Upon receiving information from the software developer about the vulnerability (CVE-2023-34362), NYC DOE promptly applied patches to their servers. However, the attackers had already taken advantage of the vulnerability through large-scale attacks prior to the availability of security updates, classifying it as a zero-day exploit.
In a statement provided to BleepingComputer, the Clop ransomware gang has taken credit for the MOVEit Transfer attacks that exploited the CVE-2023-34362 vulnerability on June 5. The cybercriminal group claimed to have breached the MOVEit servers of "hundreds of companies."
Clop's participation in this large-scale data theft campaign reflects a broader trend of targeting MFT platforms. This pattern is evident in previous incidents, such as the breach of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and the widespread exploitation of GoAnywhere MFT servers in January of this year.