The New York City Department of Education has become the latest organization to disclose that it had private data stolen as part of the far-reaching MOVEit file transfer software hack. In an email sent to parents on Sunday, the agency said the personal information of approximately 45,000 students, including in some cases social security numbers and dates of birth , has just been compromised. The Department of Education said staff personal information was also accessed but did not share how many teachers and other staff were affected.
“The safety and security of our students and staff, including their personal information and data, is of utmost importance to the New York City Department of Education. Our top priority is to determine what confidential information is exposed, and the specific impact on each affected individual,” the department said Sunday. “Once that determination is made, we will begin preparing notifications to individuals whose confidential information has been compromised. With the announcement, individuals will be given access to an identity monitoring service.
The Department of Education is one of several organizations affected by the MOVEit hack. Clop, a ransomware gang with suspected pro-Russian ties, claimed responsibility for the cyberattack in early June. The group exploited a zero-day vulnerability in business file transfer software to breach the servers of “hundreds of companies,” including the largest US pension fund. The scale of the breach at the New York City Department of Education was small compared to some of the other victims caught up in the hack but is notable for including the personal information of minors. In an interview with Bleeding Computer, the Clop gang claims it will delete any data it gets from governments, the military and children’s hospitals. It is not clear whether the group includes student data in the last category.