Klopp ransomware gang obtained personal data of 45,000 New York City students in MOVEit hack

The New York City Department of Education has become the latest organization to disclose that its personal data was stolen as part of the far-reaching MOVEit file transfer software hack. In an email sent to parents on Sunday, the agency said the personal information of about 45,000 students, including Social Security numbers and dates of birth in some cases, was recently compromised. The Department of Education said personal information of employees was also obtained, but did not say how many teachers and other personnel were affected.

“The safety and security of our students and staff, including their personal information and data, is of the utmost importance to the New York City Department of Education. Our top priority is to determine what confidential information was exposed and the specific impact it had on each affected individual, the department said on Sunday. “When this decision is made, we will begin preparing notifications for individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to the identity monitoring service.

The Department of Education is one of several organizations affected by the MOVEit hack. Klopp, a ransomware gang with suspected pro-Russia ties, claimed responsibility for the cyberattack in early June. The group took advantage of a zero-day vulnerability in enterprise file transfer software to break into the servers of “hundreds of companies,” including the largest US pension fund. The scale of the New York City Department of Education’s breach is small compared to some of the other victims caught up in the hack, but it is notable for involving the personal information of minors. in an interview with bleeping computer, the Klopp gang claimed that it would erase any data obtained from governments, the military, and children’s hospitals. It’s unclear whether the group includes student data in that last category.