45,000 NYC Students’ Personal Data Compromised in MOVEit Breach by Clop Ransomware Gang

The latest entity to reveal that it fell victim to the extensive MOVEit file transfer software breach is the New York City Department of Education. The agency notified parents via email on Sunday that the private data of around 45,000 students, which included social security numbers and birth dates in some instances, had been compromised. The department also confirmed that staff personal information was accessed, but did not disclose the number of teachers and other personnel affected.

“The security of our students and staff, including their personal information, is of the utmost importance to the New York Department of Education. Our first priority is to determine exactly what confidential information was exposed and the concrete impact on each individual,” the department said Sunday. “Once this decision is made, we will begin preparing notices to persons whose confidential information has been compromised. In connection with the notification, people are offered access to the identity control service.

The Department of Education is one of the many organizations affected by the MOVEit hack. Clop, a ransomware gang with suspected pro-Russian ties, claimed responsibility for the cyberattack in early June. The group exploited a zero-day vulnerability in corporate file transfer software to break into the servers of “hundreds of companies,” including the largest U.S. pension fund. The scope of the data breach at the New York Department of Education is small compared to some other hacking victims, but it is significant given the personal data of minors. In an interview with Bleeping Computer, the Clop gang claimed to delete all information they received from governments, the military and children’s hospitals. It is unclear whether the group includes student data in that final category.