The exploit granted unauthorized access to critical student and staff information, affecting 45,000 students and 19,000 documents. Credit: Pixabay Personal data of over 45,000 public school students was compromised in a breach involving the file-transfer software MOVEit, according to a community letter sent to families and staff by the New York City Department of Education. "DOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third party special education service providers," the letter said. The breach is the latest expoit of a SQL injection vulnerability found in MOVEit Transfer, a widely used file transfer software by Progress Software. Documents exposed before patching Although the New York City DOE, with the help of the NYC Cyber Command, fully patched the software hours after learning of the vulnerability, there were already 19,000 documents accessed without authorization, the DOE's internal investigation revealed. The servers have been taken offline out of caution, according to Emma Vadehra, the chief operating officer of the DOE. "Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems," she added. Preliminary results from the internal investigation also revealed that approximately 45,000 students, excluding DOE staff and related service providers, were affected. Types of data impacted include Social Security numbers and employee ID numbers. MOVEit vulnerability hit by many exploits The file-transfer vulnerability had been exploited in the wild well before Progressive Software sent out a notification about it on May 31. MOVEit customers were advised to check for indicators of unauthorized access over at least the prior 30 days, which implied that attacker activity was detected before the vulnerability was disclosed. Within days of the notification, the Clop ransomware gang was reported to have hit at least three US government agencies by exploiting MOVEit file-transfer flaws. The State Department offered a $10-million reward for proof of Clop links to a foreign government. The community letter by DOE gave assurance that it will help those affected by the breach, promising to follow up with notifications to individuals with instructions on how to deal with any compromise of personal data. Additionally, they will be offered access to an identity monitoring service. The DOE also revealed that the FBI and the New York Police Department are investigating the breach, and they are waiting for further details from the investigation. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe