The New York City Department of Education (NYC DOE) has experienced a substantial data breach, jeopardizing the sensitive information of potentially 45,000 students. The breach occurred when hackers pilfered documents and data targeting the department’s MOVEit Transfer server.
Details of the Data Breach
The Managed File Transfer (MFT) software was used to distribute data to numerous vendors, amongst them providers of special education services. Regrettably, an exploitation of a vulnerability in the software, tagged as CVE-2023-34362, precipitated this incident. Hackers exploited this vulnerability as a zero-day despite NYC DOE patching their servers upon receiving information about it.
In the meantime, the affected server has been taken offline. As part of its efforts to rectify the situation, the NYC DOE is working with NYC Cyber Command.
Our COO, Emma Vadehra, said NYC DOE conducted an internal investigation after discovering the breach. According to our preliminary findings, approximately 45,000 students’ data was compromised in addition to DOE staff and service providers.”
Unauthorized access was made to approximately 19,000 documents. About 9,000 Social Security Numbers were involved in this unauthorized access, as well as employee identification numbers. In addition to the FBI, several other entities are also being investigated regarding this extensive breach.
Who’s Behind The Attack?
Cybercrime gang Clop is alleged to be responsible for the attack. According to the group, the CVE-2023-34362 MOVEit Transfer attacks were carried out on June 5. In their bold statement, they claimed to have breached the MOVEit servers of several companies. According to a corporate investigation and risk consulting firm, Kroll, clop has tested exploits for MOVEit zero-days since 2021.
Earlier this year, Clop targeted GoAnywhere MFT servers, SolarWinds Serv-U servers, and Accellion FTA servers with similar attacks.
Siemens Energy: Critical Data Remains Secure Post-MOVEit Cyberattack
Several corporations and institutions have been infiltrated by the recent MOVEit attack, a cyberattack that has recently affected several corporations and institution. Siemens Energy confirmed that it was one of the affected entities on Tuesday. However, the energy giant assures that no critical data has been breached and the incident has not caused any interruptions to its operations. As soon as we were made aware of the incident, we took immediate action, according to the company. Globally, organizations use MOVEit as a tool to transfer sensitive data. Last week’s hack compromised the personal information of members and customers of the U.S. pension fund Calpers and insurance company Genworth Financial (Reuters, 2023).
The Fallout
A dark web data leak site operated by the Clop gang listed the names of affected organizations on June 15.
In addition to Shell, several other organizations have confirmed being impacted by the cyber attack. These include the University of Georgia (UGA), University System of Georgia (USG), Heidelberger Druck, United Healthcare Student Resources (UHSR), and Landal Greenparks.
Several states and entities also reported breaches associated with the MOVEit Transfer attacks. These include Missouri, Illinois, Zellis (along with its clients BBC, Boots, Aer Lingus, and Ireland’s HSE), Ofcam, the government of Nova Scotia, the American Board of Internal Medicine, and Extreme Networks.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has revealed that numerous U.S. federal agencies have been affected by security breaches.
The cybersecurity environment continues to pose escalating challenges. Recently, Progress cautioned its MOVEit Transfer customers to limit HTTP access to their servers following the revelation of a new SQL injection security flaw. This alert was issued alongside the disclosure of several other SQL injection vulnerabilities.
Organizations must prioritize robust security measures to protect sensitive data as cybersecurity threats continue to evolve.
References
Gatlan, S. (2023, June 26). Hackers steal data of 45,000 new york city students in moveit breach. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-steal-data-of-45-000-new-york-city-students-in-moveit-breach/
Reuters. (2023, June 27). Siemens energy: No critical data was compromised after moveit data breach. https://www.reuters.com/technology/siemens-energy-no-critical-data-was-compromised-after-moveit-data-breach-2023-06-27/
The Guru's World 
Leave a comment