45,000 NYC students among the victims of MOVEit global data breach, DOE officials say

A child’s hands typing on a black laptop keyboard.
The MOVEit security breach has affected millions, as private companies and government agencies, including the NYC education department, saw their user data compromised. (Carolyn Ann Ryan/Getty Images)

Tens of thousands of New York City students were among the millions of victims who have had their personal information compromised through the recent MOVEit data breach, education officials said Friday.

A security vulnerability in the file-sharing software MOVEit — widely used by private companies and governments to safely transfer documents and data — has wreaked havoc in recent weeks as hackers accessed sensitive information across the globe.

Officials estimated roughly 45,000 students, as well as education department staff and service providers, were impacted by the data breach. For those affected, that could mean social security numbers, OSIS numbers, dates of birth, and employee IDs were stolen.

Roughly 19,000 documents were also accessed without authorization, including student evaluations and related services progress reports, Medicaid reports for students receiving  services, as well as internal records related to DOE employees’ leave status.

City officials said they would notify individuals whose data was compromised “this summer,” though they did not specify a date. The kind of data impacted could vary from person to person, officials said. Those affected will be offered access to an identity monitoring service, which helps people track if their information is being used illicitly.

The department patched the software within hours of learning about the vulnerability and is working with local and federal law enforcement agencies to investigate the breach, officials said.

“Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected,” said Nathaniel Styer, an education department spokesperson, in an emailed statement. “Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems. We will provide impacted members of the DOE community with more information as soon as we are able.”

Nationally, the data breach has affected millions — as financial institutions and government agencies were impacted by the sweeping cyberattack. 

It’s not the first time New York City students have been subject to a cyberattack. Roughly 820,000 current and former students had their information compromised last year after a security breach of a company used by schools for tracking attendance and grading.

In the aftermath, experts told Chalkbeat that families should change passwords associated with their child’s school accounts, monitor their credit, and watch out for scam calls and emails. 

Become a Chalkbeat sponsor

City officials said the DOE has not been subject to any threat or ransom, and none of its information has been published.

Julian Shen-Berro is a reporter covering New York City. Contact him at jshen-berro@chalkbeat.org.

The Latest

Data from early February showed that 29% of migrant families who got such notices switched to other shelters, while 16% remained in their original shelter.

The governor says his proposed school aid would, for the first time, fully fund districts that have gone underfunded for years, including Newark.

How a small interaction changed my perception of my daughter’s school and my place in it.

A state lawmaker is giving the Memphis-Shelby County school board time to devise an improvement plan before pursuing legislation to empower Gov. Bill Lee to appoint up to six new members to the locally elected body.

To open, the charter school needs to rezone its former church building in Washington Township from religious to education.

The district also plans to merge its Simon Youth Academy with another alternative education program at Arsenal Technical High School.