The New York City Department of Education revealed in a letter tweeted on Saturday that it was among the victims of the global cyberattack involving MOVEit, a third-party file-sharing software platform.
According to a preliminary investigation, an estimated 45,000 students — as well as department staff and service providers — had data exposed across 19,000 documents. Among that data were employee ID numbers and about 9,000 Social Security numbers.
The school system is cooperating with the New York Police Department and the FBI as further details emerge. The MOVEit data breach impacted more than 100 organizations around the world, including government agencies like the U.S. Department of Energy. The Clop ransomware gang, which reportedly has ties to Russia, has claimed responsibility for the cyberattacks.
In addition to the nation’s largest school system, the Minnesota Department of Education also fell victim to the MOVEit breach.
The Minnesota agency announced June 13 that 24 of its files had been accessed, exposing data with information on 95,000 students in foster care, 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer, 29 students taking classes at Hennepin Technical College in Minneapolis, and five students who rode on a specific Minneapolis Public Schools bus route.
Cybersecurity remains a persistent concern for schools, and states are slowly ramping up efforts to help school districts lock down their networks. According to a January report by the Consortium for School Networking, 18 states enacted 37 cybersecurity laws impacting the education sector in 2022.