Facebook Twitter

45,000 NYC students among the victims of MOVEit global data breach, DOE officials say

A child’s hands typing on a black laptop keyboard.

The MOVEit security breach has affected millions, as private companies and government agencies, including the NYC education department, saw their user data compromised.

Carolyn Ann Ryan/Getty Images

Tens of thousands of New York City students were among the millions of victims who have had their personal information compromised through the recent MOVEit data breach, education officials said Friday.

A security vulnerability in the file-sharing software MOVEit — widely used by private companies and governments to safely transfer documents and data — has wreaked havoc in recent weeks as hackers accessed sensitive information across the globe.

Officials estimated roughly 45,000 students, as well as education department staff and service providers, were impacted by the data breach. For those affected, that could mean social security numbers, OSIS numbers, dates of birth, and employee IDs were stolen.

Roughly 19,000 documents were also accessed without authorization, including student evaluations and related services progress reports, Medicaid reports for students receiving  services, as well as internal records related to DOE employees’ leave status.

City officials said they would notify individuals whose data was compromised “this summer,” though they did not specify a date. The kind of data impacted could vary from person to person, officials said. Those affected will be offered access to an identity monitoring service, which helps people track if their information is being used illicitly.

The department patched the software within hours of learning about the vulnerability and is working with local and federal law enforcement agencies to investigate the breach, officials said.

“Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected,” said Nathaniel Styer, an education department spokesperson, in an emailed statement. “Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems. We will provide impacted members of the DOE community with more information as soon as we are able.”

Nationally, the data breach has affected millions — as financial institutions and government agencies were impacted by the sweeping cyberattack. 

It’s not the first time New York City students have been subject to a cyberattack. Roughly 820,000 current and former students had their information compromised last year after a security breach of a company used by schools for tracking attendance and grading.

In the aftermath, experts told Chalkbeat that families should change passwords associated with their child’s school accounts, monitor their credit, and watch out for scam calls and emails. 

City officials said the DOE has not been subject to any threat or ransom, and none of its information has been published.

Julian Shen-Berro is a reporter covering New York City. Contact him at jshen-berro@chalkbeat.org.

The Latest
I have no formal training, but I’m an expert in my child.
The tentative contract agreement comes after tense negotiations and concerns a strike would disrupt the first few weeks of the school year.
This ENL teacher wants her students to feel comfortable sharing their stories and identities.
The chancellor largely stuck to ideas he’s emphasized during his 20 months as chief. Chalkbeat wants to hear your thoughts on what he should prioritize.
Families at a Brooklyn Prospect Charter middle school were notified last week that a surge in new COVID cases had prompted precautionary measures.
The principal at Francis Lewis High School said one student was responsible for the accounts.