Hackers targeted the New York City Department of Education (NYC DOE), stealing sensitive personal information of up to 45,000 students from its MOVEit Transfer server. The server used managed file transfer (MFT) software for secure data transfer. The attackers exploited a zero-day vulnerability (CVE-2023-34362) in large-scale attacks before security updates were available. Approximately 19,000 documents, including Social Security Numbers and employee ID numbers, were accessed without authorization. The Clop ransomware gang claimed responsibility, stating it breached MOVEit servers of “hundreds of companies.” The FBI is investigating the broader breach affecting numerous entities.
NYC DOE COO Emma Vadehra mentioned that the affected server was taken offline after the breach was discovered, and NYC DOE is working with NYC Cyber Command to address the incident. She stated that a review of the impacted files is ongoing, with preliminary results indicating that around 45,000 students, along with DOE staff and related service providers, were affected. The FBI is investigating the broader breach that has impacted hundreds of entities, and NYC DOE is cooperating with both the NYPD and FBI as they investigate.
The Clop ransomware gang, known for its involvement in extensive data theft campaigns, claimed responsibility for the CVE-2023-34362 MOVEit Transfer attacks on June 5. The cybercrime gang revealed that it breached MOVEit servers of “hundreds of companies.” Kroll, a cyber risk management company, uncovered evidence suggesting that Clop had been actively testing exploits for the now-patched MOVEit zero-day since 2021 and researching methods to extract data from compromised servers since at least April 2022.
This incident is part of a broader pattern of targeting MFT platforms, with previous instances including the breach of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and the widespread exploitation of GoAnywhere MFT servers earlier this year in January.
