A widespread data breach in New York City Schools has compromised the sensitive information of thousands of students and staffers, the city Department of Education said.
Approximately 45,000 students plus school employees and service providers were affected, officials announced.
The confidential data taken includes social security numbers, dates of birth, employee IDs and OSIS numbers, the nine-digit numbers issued to all students who attend a city public school.
Overall,19,000 documents were accessed from the file transfer system MOVEIt. Documents included student evaluations, progress reports, Medicaid reports, and records related to DOE employees leave status.
“The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education,” spokesperson Nathaniel Styer said in a statement on Friday evening.
“We recently learned of a security vulnerability in a third-party file-sharing software, MOVEit, which has impacted both private and government customers globally,” Styer continued. “Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected.”
MOVEIt has been the target of an apparent global hacking campaign. Vulnerabilities in the software, which is widely used throughout the federal government as well, have led to intrusions within numerous agencies, including the U.S. Department of Energy.
The DOE said it is cooperating with the NYPD and FBI investigations.
Parents have not yet been notified directly of the breach but notifications to individuals whose information was compromised will begin this summer.
Officials did not immediately share how many staff members were impacted. No education department data has been published as a result of the breach so far, officials said.
“Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems,” Styer continued.
The information was taken during a specific window of time, according to the DOE, which didn’t detail when the hack happened.
Those impacted will be offered access to an identity monitoring service, officials said.
“We have already been in direct communication with the Chancellor’s team to mitigate the impact,” the Council of Supervisors and Administrators Union told its members Saturday morning in an email obtained by The Post to its members Saturday morning.
“We will be monitoring the situation closely over the weekend to make sure the city is taking the necessary immediate actions to protect you and the families you serve.”
“We will insist the DOE provide you with the necessary communications to share with your community members, and we will advocate that the DOE provide appropriate credit fraud protection to anyone whose information was comprised,” the CSA continued.
This is only the latest security breach in the city public school system.
In January 2022, the personal data of about 820,000 current and former city public school students was compromised by a breach of Illuminate Education.
Illuminate was a taxpayer-funded software company the DOE used to track grades and attendance, resulted in a hacker gaining access to students’ names, birthdays, ethnicities and English-speaking, special-education and free-lunch statuses.
The DOE later banned the vendor.