The NYC DOE has reported a substantial data breach that has affected its MOVEit Transfer server, leading to the theft of sensitive personal information of approximately 45,000 students. The server was utilized by the NYC DOE for the secure transfer of data and documents, both within the department and to external vendors, including providers of special education services. The NYC DOE addressed the vulnerability (CVE-2023-34362) in the server as soon as the developer disclosed it. However, attackers had already begun exploiting the bug before security updates were available.
Following the discovery of the breach, the server was taken offline. The NYC DOE is now working with NYC Cyber Command to manage the incident. According to NYC DOE COO Emma Vadehra, an internal investigation revealed that specific DOE files were compromised. "Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected," she stated. Unauthorized access was gained to around 19,000 documents, with the types of data impacted including Social Security Numbers and employee ID numbers.
The FBI is currently investigating a broader breach impacting numerous entities. The NYC DOE is cooperating with both the NYPD and FBI in their investigations. The Clop ransomware group has claimed responsibility for the CVE-2023-34362 MOVEit Transfer attacks, stating that they breached the MOVEit servers of hundreds of companies. Evidence has been found that Clop had been testing exploits for the now-patched MOVEit zero-day since 2021 and researching methods to extract data from compromised servers since at least April 2022.
The Clop gang has previously targeted MFT platforms, including the breach of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and the widespread exploitation of GoAnywhere MFT servers in January of this year. The group began extorting organizations affected by the MOVEit data theft attacks by publicly listing their names on Clop's dark web data leak site. Several organizations have confirmed they were impacted, and several U.S. federal agencies have also been compromised.
Last week, Progress warned MOVEit Transfer customers to restrict HTTP access to their servers after information on a new SQL injection (SQLi) security flaw (CVE-2023-35708) was published online. This warning followed another advisory disclosing several other critical SQL injection vulnerabilities collectively tracked as CVE-2023-35036.