Massive Data Breach: 45,000 New York City Students’ Personal Information Stolen by Hackers

NYC DOE Data Breach: 45,000 Students’ Personal Information Stolen

IT Services for the New York City Department of Education (NYC DOE) recently confirmed that hackers stole sensitive personal information of up to 45,000 students from its MOVEit Transfer server.

The MOVEit Transfer software, which is used by NYC DOE to securely transfer data and documents to various vendors, including special education service providers, was exploited by attackers using a zero-day vulnerability, CVE-2023-34362. NYC DOE patched the servers as soon as the developer disclosed info on the vulnerability, but it was too late as attackers had already been abusing the bug in large-scale attacks.

The affected server was taken offline after the breach was discovered, and NYC DOE is working with NYC Cyber Command to address the incident. An internal investigation is also ongoing, which revealed that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Emma Vadehra, NYC DOE COO, said in a statement issued over the weekend that roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included). The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate.

The Clop ransomware gang has claimed responsibility for the MOVEit Transfer attacks on June 5, and they have breached the MOVEit servers of hundreds of companies. Kroll found evidence that Clop had been actively testing exploits for the now-patched MOVEit zero-day since 2021 and researching methods to extract data from compromised servers since at least April 2022. Clop’s involvement in this extensive data theft campaign is part of a broader pattern of targeting MFT platforms.

How Was the Data Breach at Colorado State University Discovered?

The discovery of the colorado state university data breach occurred through routine monitoring protocols. Suspicious activity prompted further investigation, unraveling unauthorized access to sensitive information. Swift action was taken to mitigate the breach’s impact and enhance cybersecurity measures. The incident highlights the importance of constant vigilance and proactive measures to safeguard data integrity.

Clop Already Extorting Impacted Organizations

The Clop gang began extorting organizations affected by the MOVEit data theft attacks almost two weeks ago, on June 15, by publicly listing their names on Clop’s dark web data leak site. Several organizations have confirmed that they were impacted, including Shell, the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, UnitedHealthcare Student Resources (UHSR), and Landal Greenparks. Other victims that have already disclosed breaches related to the MOVEit Transfer attacks include the U.S. state of Missouri, the U.S. state of Illinois, Zellis (along with its customers BBC, Boots, Aer Lingus, and Ireland’s HSE), Ofcam, the government of Nova Scotia, the American Board of Internal Medicine, and Extreme Networks. Additionally, several U.S. federal agencies have also been compromised.

Customers of MOVEit Transfer were warned last week to restrict HTTP access to their servers after info on a new SQL injection (SQLi) security flaw (CVE-2023-35708) was published online. This warning came after another advisory disclosed several other critical SQL injection vulnerabilities collectively tracked as CVE-2023-35036.