NewsNation

NYC public school students’ data targeted in cyberattack

Editor’s Note: This story has been corrected to reflect that Progressive Software informed customers of the data breach on May 31.

NEW YORK (NewsNation) — A recent attack carried out by Russian cybercriminals appears to have exposed the personal data of tens of thousands of New York City public school students.


The New York City Department of Education announced the data breach in a letter to families notifying them that third-party file-sharing software, MOVEit, had been targeted. School officials estimated about 19,000 district documents were illegally retrieved, impacting 45,000 students and an undisclosed number of DOE staff. 

“Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems. We will provide impacted members of the doe community with more information as soon as we are able,” the department told NewsNation.

The data types impacted include Social Security numbers and employee ID numbers, but not necessarily for all affected individuals, the department noted. Only 9,000 Social Security numbers were estimated to be included.

“It’s a very serious concern,” New York State Sen. John Liu (D), the chair of the NYC Education Committee, said. “I believe that DOE officials and city hall understand this is a top priority.”

The department has since deployed a software patch and there is no known further threat.

“Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual,” the department said in the letter to families. “When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised.”

The hackers, reportedly linked with Russian cybercriminals, took advantage of a security flaw and hacked a widely used file transfer software, exposing the personal data of millions of Americans.

The group was also allegedly responsible for breaching U.S. government offices and more than a dozen private companies nationwide.

Known victims to date include Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia provincial government, British Airways, the British Broadcasting Company and the U.K. drugstore chain Boots.

MOVEit’s parent company, Progressive Software, informed its customers of the data breach on May 31.

The Cybersecurity and Infrastructure Security Agency and the FBI are looking into the recent cyber attacks. 

The CISA said there’s no evidence suggesting the Russian group accused of carrying out the attack was working on behalf of the Russian government.

Blake Burman, Tyler Wornell, Devan Markham and Sean Noone contributed to this report.