NYC DOE hit by MOVEit hack, as list of compromised orgs grows

Add schools to the growing list of airlines, federal agencies, media companies, and other orgs hit by a breach of the managed file transfer software MOVEit.

In a June 24 letter, Emma Vadehra, chief operating officer at the New York City Department of Education, announced that the records of 45,000 students, plus DOE staff and related service providers, were potentially compromised. Impacted data includes Social Security numbers and employee IDs, according to the DOE statement.

While the cyberattack is another hit to the heavily targeted education sector, the MOVEit hack is a cross-industry compromise and one whose impact is still being understood.

“Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems. We will provide impacted members of the DOE community with more information as soon as we are able,” DOE spokesperson Nathaniel Styer wrote in an email to IT Brew.

MOVEit on the move. Progress Software announced a zero-day vulnerability within its MOVEit Transfer and MOVEit Cloud platforms on May 31. The flaw enabled attackers to use a SQL injection, or an input of malicious code, to “infer information about the structure and contents of the database.”

The Clop ransomware group claimed responsibility for the attacks on the “CVE-2023-34362” vulnerability, according to a statement in early June shared with BleepingComputer.

Working with NYC Cyber Command, the NYC DOE patched the software as recommended, “within hours of learning of the vulnerability,” Vadehra wrote in her announcement.

School daze. According to global Q1 research from the cybersecurity company Check Point, the education and research sector topped all other studied industries, averaging 2,507 cyberattacks weekly—an increase of 15% compared to the same time last year.

The NYC DOE “used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers,” Vadehra explained.

Such connections widen the impact possibility, according to Sue Bergamo, CISO and CIO of the management consulting firm BTE Partners.

“Think of it as a spiderweb. It starts in one area. But then as the infiltration goes out, and the compromise goes out, that attack gets broader and wider. And then it has multiple paths,” Bergamo told IT Brew. “So it could be almost anywhere at this point.”