Tens of thousands of New York City students were among the millions of victims who have had their personal information compromised through the recent MOVEit data breach, education officials said Friday.
A security vulnerability in the file-sharing software MOVEit — widely used by private companies and governments to safely transfer documents and data — has wreaked havoc in recent weeks as hackers accessed sensitive information across the globe.
Officials estimated roughly 45,000 students, as well as education department staff and service providers, were impacted by the data breach. For those affected, that could mean social security numbers, OSIS numbers, dates of birth, and employee IDs were stolen.
Roughly 19,000 documents were also accessed without authorization, including student evaluations and related services progress reports, Medicaid reports for students receiving services, as well as internal records related to DOE employees’ leave status.
City officials said they would notify individuals whose data was compromised “this summer,” though they did not specify a date. The kind of data impacted could vary from person to person, officials said. Those affected will be offered access to an identity monitoring service, which helps people track if their information is being used illicitly.
The department patched the software within hours of learning about the vulnerability and is working with local and federal law enforcement agencies to investigate the breach, officials said.
“Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected,” said Nathaniel Styer, an education department spokesperson, in an emailed statement. “Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems. We will provide impacted members of the DOE community with more information as soon as we are able.”
Nationally, the data breach has affected millions — as financial institutions and government agencies were impacted by the sweeping cyberattack.
It’s not the first time New York City students have been subject to a cyberattack. Roughly 820,000 current and former students had their information compromised last year after a security breach of a company used by schools for tracking attendance and grading.
In the aftermath, experts told Chalkbeat that families should change passwords associated with their child’s school accounts, monitor their credit, and watch out for scam calls and emails.
City officials said the DOE has not been subject to any threat or ransom, and none of its information has been published.
Julian Shen-Berro is a reporter covering New York City. Contact him at jshen-berro@chalkbeat.org.