The attackers targeted a vulnerability in the popular file-transfer software MOVEit, which New York public schools has used to share documents and data internally and with third-party vendors that include special education service providers.
“The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education,” said public schools spokesman Nathaniel Styer in a statement.
“We will provide impacted members of the DOE community with more information as soon as we are able,” he added.
The security flaw was previously unknown by MOVEit’s software company, Progress, or its users, according to the NYC Cyber Command. No public school data had been published as of Friday, nor was the agency facing a threat or ransom demand.
The massive ransomware operation has hit several state and federal agencies, from the federal Department of Energy and states of Maryland and Illinois, to Louisiana’s and Oregon’s departments of motor vehicles and transportation, respectively.
“Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected,” said Styer. “Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.”
The hack impacted fewer local students than a breach last year estimated to be the largest-ever of K-12 student data nationwide — but is hitting more sensitive information.
Personal data that was impacted ranged from Social Security numbers for some students and teachers, to roughly 19,000 documents including student evaluations and related services progress reports, Medicaid reports, and internal employee leave records.
Hackers also accessed student and employee ID numbers, and dates of birth. The data impacted per person may vary.
Education officials will notify students whose confidential information was compromised beginning this summer. Those families will be offered access to an identity monitoring service.
Cybersecurity experts suspect the hackers are a Russia-affiliated ransomware group known by the acronym CL0P.
The city worked with an e-discovery firm to do a full review of the impacted files, with preliminary results released Friday, and has taken down the impacted server.
An investigation by the NYPD and FBI is ongoing.
Over the last month, the hackers have used a software vulnerability to steal files from roughly 100 organizations, according to Axios, and demand ransom from some for not publishing them on its website.
Last year, the personal data of 820,000 current and former city public school students were compromised in the hack of a widely used online grading and attendance system from the company Illuminate Education.
That breach prompted a weeks-long shutdown of the systems and wreaked havoc on the city’s schools.
The attackers gained access to a database containing students’ names, birthdays, ethnicities, home languages and ID numbers since the 2016-17 school year. In some cases, they extracted information about whether students get special education services and economic status information.
At the end of the school year, the city called it quits with Illuminate Education, which again caused disruption for many teachers and families. A replacement grading and attendance system developed by the city has been slow to roll out, and throughout the fall left some parents without a sense of how their kids were performing in school.
“The state student privacy law was passed nearly a decade ago, in 2014, with rigorous security provisions,” said Leonie Haimson, who co-chairs the Parent Coalition for Student Privacy.
“To this day, DOE does not comply with the law when it comes to protecting student data and sadly, the State Education Department with oversight responsibility has done very little to ensure that they do,” she added.
©2023 New York Daily News. Distributed by Tribune Content Agency, LLC.