- The Minnesota Department of Education is among a growing list of organizations affected by a global data breach from the cyberattack against MOVEit software, which is often used by government agencies and companies to transfer sensitive data files.
- The department announced Friday it had discovered a potential vulnerability with the file share service on May 31 when a third-party vendor informed state officials of the concern. That same day, the department discovered 24 of its files on the MOVEit server had been accessed by an outside entity.
- Upon initial investigation, the department said information containing some 95,000 student names in foster care across the state were exposed in the breach. Those accessed files also included data such as the students' dates of birth and county of foster care placement.
The Minnesota Department of Education’s data breach appears to be the first time a state education agency has announced its sensitive and personal student data has faced unauthorized access following a cyberattack, said Julia Fallon, executive director of the State Educational Technology Directors Association.
While school districts — including Minneapolis Public Schools earlier this year — are ongoing targets for cyberattacks and data breaches, this latest vulnerability in a state department shows that higher levels of the education system can also fall victim to cyberattacks.
Other department information impacted by the data breach included data on 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer, or P-EBT, 29 students who were taking classes at Hennepin Technical College in Minneapolis, and five students who rode on a specific Minneapolis Public Schools bus route.
While no financial information was compromised, the department said it’s actively working to inform the affected individuals.
The department "takes data privacy very seriously. We understand that third parties illegally accessing private data can have negative consequences for those whose data was accessed,” officials said in a statement. Alongside Minnesota IT Services, the department is working to add more “security measures to protect private data and prevent instances like this from happening in the future.”
Ransomware group Clop has claimed responsibility for the MOVEit cyberattack in an effort to steal customer data from hundreds of organizations, and the exploits on the service have reportedly been underway for at least four months. The list of victims feeling the cyberattack’s repercussions is expected to continue growing.
This data breach further brings to light how technology vendors working with the education sector need to understand the unique and sensitive challenges of partnering with schools and districts that hold the information of minors, Fallon said.
“Because of the nature of the data and how valuable it is, it’s something for those vendors to really live up to their agreements and really be … vigilant,” Fallon said. “The vendor does have to play a part.”
Cybersecurity has continued to be named the top concern among ed tech leaders for the sixth year in a row, according to a recent survey by the Consortium for School Networking. The issue is the most pressing among state-level ed tech leaders, too, Fallon added.