18 July 2023  — 
Eric Swotinsky

Data of more than 45,000 NYC students stole in MOVEit Breach

Attackers have stolen sensitive personal information from the MOVEit Transfer server of the New York City Department of Education (NYC DOE), affecting approximately 45,000 students.

The NYC DOE used the managed file transfer (MFT) software for secure data exchange with vendors, including special education service providers. The servers were patched after the developer disclosed the exploited vulnerability (CVE-2023-34362), but the attackers had already conducted large-scale zero-day attacks. The affected server was taken offline, and NYC DOE is collaborating with NYC Cyber Command to address the incident. 

An internal investigation revealed that around 19,000 documents were accessed without authorization, compromising data such as Social Security Numbers and employee ID numbers of approximately 45,000 students, DOE staff and service providers. The FBI is investigating the breach, for which the Clop ransomware gang has claimed responsibility. 

The Advanced Data Loss Prevention pack for Acronis Cyber Protect Cloud monitors access to your data and helps to prevent any data exfiltration.