Personal data of over 45,000 public school students was compromised in a breach involving the file-transfer software MOVEit, according to a community letter sent to families and staff by the New York City Department of Education.\n\n\u201cDOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third party special education service providers,\u201d the letter said. \n\nThe breach is the latest expoit of a SQL injection vulnerability found in MOVEit Transfer, a widely used file transfer software by Progress Software.\n\nDocuments exposed before patching \n\nAlthough the New York City DOE, with the help of the NYC Cyber Command, fully patched the software hours after learning of the vulnerability, there were already 19,000 documents accessed without authorization, the DOE\u2019s internal investigation revealed.\n\nThe servers have been taken offline out of caution, according to Emma Vadehra, the chief operating officer of the DOE. \u201cCurrently, we have no reason to believe there is any ongoing unauthorized access to DOE systems,\u201d she added.\n\nPreliminary results from the internal investigation also revealed that approximately 45,000 students, excluding DOE staff and related service providers, were affected.\n\nTypes of data impacted include Social Security numbers and employee ID numbers.\n\nMOVEit vulnerability hit by many exploits\n\nThe file-transfer vulnerability had been exploited in the wild well before Progressive Software sent out a notification about it on May 31. MOVEit customers were advised to check for indicators of unauthorized access over at least the prior 30 days, which implied that attacker activity was detected before the vulnerability was disclosed.\n\nWithin days of the notification, the Clop ransomware gang was reported to have hit at least three US government agencies by exploiting MOVEit file-transfer flaws. The State Department offered a $10-million reward for proof of Clop links to a foreign government.\n\nThe community letter by DOE gave assurance that it will help those affected by the breach, promising to follow up with notifications to individuals with instructions on how to deal with any compromise of personal data. Additionally, they will be offered access to an identity monitoring service.\n\nThe DOE also revealed that the FBI and the New York Police Department are investigating the breach, and they are waiting for further details from the investigation.