The exploit granted unauthorized access to critical student and staff information, affecting 45,000 students and 19,000 documents. Credit: Pixabay Personal data of over 45,000 public school students was compromised in a breach involving the file-transfer software MOVEit, according to a community letter sent to families and staff by the New York City Department of Education. “DOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third party special education service providers,” the letter said. The breach is the latest expoit of a SQL injection vulnerability found in MOVEit Transfer, a widely used file transfer software by Progress Software. Documents exposed before patching Although the New York City DOE, with the help of the NYC Cyber Command, fully patched the software hours after learning of the vulnerability, there were already 19,000 documents accessed without authorization, the DOE’s internal investigation revealed. The servers have been taken offline out of caution, according to Emma Vadehra, the chief operating officer of the DOE. “Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems,” she added. Preliminary results from the internal investigation also revealed that approximately 45,000 students, excluding DOE staff and related service providers, were affected. Types of data impacted include Social Security numbers and employee ID numbers. MOVEit vulnerability hit by many exploits The file-transfer vulnerability had been exploited in the wild well before Progressive Software sent out a notification about it on May 31. MOVEit customers were advised to check for indicators of unauthorized access over at least the prior 30 days, which implied that attacker activity was detected before the vulnerability was disclosed. Within days of the notification, the Clop ransomware gang was reported to have hit at least three US government agencies by exploiting MOVEit file-transfer flaws. The State Department offered a $10-million reward for proof of Clop links to a foreign government. The community letter by DOE gave assurance that it will help those affected by the breach, promising to follow up with notifications to individuals with instructions on how to deal with any compromise of personal data. Additionally, they will be offered access to an identity monitoring service. The DOE also revealed that the FBI and the New York Police Department are investigating the breach, and they are waiting for further details from the investigation. Related content news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 06, 2024 9 mins RSA Conference Security feature AI governance and cybersecurity certifications: Are they worth it? Organizations have started to launch AI certifications in governance and cybersecurity but given how immature the space is and how fast it's changing, are these certifications worth pursuing? By Maria Korolov May 06, 2024 12 mins Certifications IT Training Careers news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe