Thousands of students and staff members’ confidential information was exposed in a sweeping cyber-attack on New York City Public Schools in a recent announcement by the city’s Department of Education.
Around 45,000 individuals, including students, employees, and service providers, are impacted by this breach. The exposed data includes sensitive details such as social security numbers, birth dates, and employee and student IDs.
The security violation was traced to the file transfer platform MOVEit, where nearly 19,000 files were accessed. These files consisted of students’ evaluations, progress reports, Medicaid reports, and details related to the leave status of DOE staff.
According to the letter on the NYC Public Schools website, the vulnerability impacted customers worldwide, including other government agencies. It was quickly addressed by patching the software and taking the server offline. An internal investigation revealed that certain Department of Education files were compromised.
It added, “The New York City Department of Education is committed to determining which confidential information was exposed and the specific impact for each affected individual. Those affected will be notified and offered access to an identity monitoring service.”
The spokesperson for the NYC Department of Education, Nathaniel Styer, stressed the department’s commitment to the safety and security of students and staff.
He said, “We recently learned of a security vulnerability in a third-party file-sharing software, MOVEit, which has impacted both private and government customers globally.”
He added that collaborative efforts with the NYC Cyber Command led to the immediate resolution of the issue, and an internal investigation confirmed that some DOE files were compromised.
Affected individuals will be informed about the data breach in “the summer.” The department has not yet disclosed the number of staff affected.
According to Styer, they believe there’s no continued unauthorized access to DOE systems. The exact timeline of the hack hasn’t been disclosed.
He said, “Our top priority is determining exactly which document information was exposed and the specific impact for each affected individual.”
The Council of Supervisors and Administrators Union assured its members that they are actively communicating with the Chancellor’s team to mitigate the impact. They will monitor the situation over the weekend and demand the DOE provide the necessary support, including credit fraud protection.
MOVEit has reportedly been the target of a worldwide hacking operation. The software’s vulnerabilities have caused data breaches in numerous agencies, including the United States Department of Energy. The DOE is currently aiding the NYPD and FBI in their ongoing investigations.
This breach follows a similar incident in January 2022, where about 820,000 current and former city public school students’ personal data was compromised due to a security breach at Illuminate Education, a software company funded by taxpayers and used by DOE to track students’ grades and attendance.
