The exploit granted unauthorized access to critical student and staff information, affecting 45,000 students and 19,000 documents. Credit: Pixabay Personal data of over 45,000 public school students was compromised in a breach involving the file-transfer software MOVEit, according to a community letter sent to families and staff by the New York City Department of Education. "DOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third party special education service providers," the letter said. The breach is the latest expoit of a SQL injection vulnerability found in MOVEit Transfer, a widely used file transfer software by Progress Software. Documents exposed before patching Although the New York City DOE, with the help of the NYC Cyber Command, fully patched the software hours after learning of the vulnerability, there were already 19,000 documents accessed without authorization, the DOE's internal investigation revealed. The servers have been taken offline out of caution, according to Emma Vadehra, the chief operating officer of the DOE. "Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems," she added. Preliminary results from the internal investigation also revealed that approximately 45,000 students, excluding DOE staff and related service providers, were affected. Types of data impacted include Social Security numbers and employee ID numbers. MOVEit vulnerability hit by many exploits The file-transfer vulnerability had been exploited in the wild well before Progressive Software sent out a notification about it on May 31. MOVEit customers were advised to check for indicators of unauthorized access over at least the prior 30 days, which implied that attacker activity was detected before the vulnerability was disclosed. Within days of the notification, the Clop ransomware gang was reported to have hit at least three US government agencies by exploiting MOVEit file-transfer flaws. The State Department offered a $10-million reward for proof of Clop links to a foreign government. The community letter by DOE gave assurance that it will help those affected by the breach, promising to follow up with notifications to individuals with instructions on how to deal with any compromise of personal data. Additionally, they will be offered access to an identity monitoring service. The DOE also revealed that the FBI and the New York Police Department are investigating the breach, and they are waiting for further details from the investigation. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe