Latest breach of NYC student data, one in a depressing series, some previously unrevealed

Below are the emails DOE sent out Friday, Saturday, and Sunday about their latest data breach from the use of a file transfer system called MOVEit, affecting at least 45,000 students and untold numbers of staff. Articles about the breach were reported in the Daily News, Gothamist, NY Post and Chalkbeat, among others.

The first DOE email below was sent on Friday to reporters; the second on Saturday to “staff" and the third on Sunday to families. Lots of unanswered questions here, including why the DOE doesn’t call this a breach (likely for legal liability reasons); whose Social Security numbers were exposed, exactly when they discovered the breach, when they applied the recommended “patches” and when they took the program offline.

The vendor, Progress, announced the vulnerability on May 31 and offered software “patches” soon after. Minnesota Department of Education announced that student data was exposed on June 9^th, and posted detailed info about the breach on its website on that date,, informing how parents can protect themselves and their children from identity theft at that time..  

The federal cybersecurity agency CISA sent out an alert on June 7,that was picked up in several news stories, and again  more broadly about the hack on June 15, as did the University of Georgia and Johns Hopkins, that their student data was affected. That same day, the Russian hacking group known as CLOP started listing their victims, including many businesses, state agencies, financial institutions, and the National Student Clearinghouse.   

Instead of laying out when they had learned about the hack, the DOE email to reporters bragged that “DOE was identified as having been impacted by this vulnerability because of a proactive investigation led by NYC Cyber Command and DOE. NYC Cyber Command and DOE have deployed additional resources to support this investigation, patch vulnerable systems, and remediate the vulnerability.” A proactive investigation how?

It was not until June 24 that the DOE reported the breach on their website, which they call a "data incident." 

I sent in a request to the new DOE Chief Privacy Officer, Dennis Doyle, and and Nathaniel Steyer, for the contract and privacy/security provisions for MOVEit, supposed to be posted on the DOE website but of course isn't. I haven't gotten any response as of yet. 

As I told the Daily News and Gothamist reporters, this breach is yet another indication of a troubling lack of seriousness and clarity evinced by DOE when it comes to protecting personal student data. The huge Illuminate breach that occurred last year involved nearly one million NYC students, including many students who had long graduated - data which Illuminate should have deleted already.  

Before that there was a breach of the Upguard system in 2021, and before that, at least two breaches from data stored on unprotected Google drives; the first one which was not publicly admitted by DOE until the second one occurred.  

The Special Commissioner of Investigation excoriated the DOE at length in a Sept. 2021 letter that I obtained through a FOIL and the two Google drive breaches, as the DOE had falsely assured their office that they had fixed the problem after the first unsecured Google drive breach.  

In any case, in the annual SCI report for 2021, it was revealed that in January 2022, the DOE had noted that its “most significant corruption hazards [were] in the following areas: (1) the procurement, distribution and safeguarding of air purifiers and (2) data security.”

More recently this past March 2023, a breach of personal information occurred, including 50,000 records of special education students contained in billing records issued by a service provider called Encore Support Services, stored on an unprotected cloud drive. According to the expert who uncovered the breach, Jeremiah Fowler, each record contained a student’s name, OSIS number, home address, parent names, the billing amount, and diagnosis code. Here is a sample redacted portion of the billing record:

Yet after being contacted by a reporter about this breach, the DOE was adamant that they had no responsibility to do anything about it or even inform these families, because these were nonpublic school students whose services they were ordered to pay for via impartial hearings, and therefore the state studen privacy law did not apply and that they had no "contractual" obligations.

Yet I wonder, didn't those families have a right to know in any case? In addition, on Checkbook NY, I found that there were nearly a thousand DOE payments to Encore Support Services, since April 11, 2022, listed under "categorical payments for OTPS" "CW SE INSTR & SCHL LEADERSHIP - OTPS", "GE INSTR & SCH LEADERSHIP - OTPS" and even "UNIVERSAL PRE-K - OTPS", all categories which refer to services provided to public school students rather than those attending non-public schools. Nevertheless, the DOE convinced the reporter I had briefed and her editor not to write about the breach.

_________

From: Styer Nathaniel <NStyer@schools.nyc.gov>
Date: June 23, 2023 at 5:59:43 PM EDT
To: Press Office <press@schools.nyc.gov>
Subject: Update: NYC DOE Data Incident

Dear reporter – please see below for a statement from me and information on background from NYC DOE and the NYC Cyber Command.

"The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. We recently learned of a security vulnerability in a third-party file-sharing software, MOVEit, which has impacted both private and government customers globally. Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems. We will provide impacted members of the DOE community with more information as soon as we are able.”

Background from the DOE: Notifications to individuals whose confidential information was compromised will begin this summer. Along with the notification, individuals will be offered access to an identity monitoring service.

Within hours of learning of the vulnerability, DOE had fully patched the software as recommended by Progress and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Working with NYC Cyber Command, we immediately began an investigation to determine if data had been accessed without authorization and engaged a leading e-discovery firm to begin a full review of the impacted files DOE has also taken the server offline and is continuing to keep it offline out of an abundance of caution. The e-discovery firm performed an in-depth analysis, which produced preliminary results on June 23rd.

We are currently cooperating with both NYPD and FBI investigations into this breach.

The DOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers.

Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual.

1. It is estimated that approximately 45,000 students, in addition to DOE staff and related service providers, were affected.  All individuals whose confidential information was compromised will be notified. 
2. Data impacted includes:
1. Social Security Numbers
2. OSIS numbers
3. Dates of birth
4. Employee IDs
3. Approximately 19,000 documents were accessed without authorization.
4. The types of documents that were accessed include student evaluations/related services progress reports, Medicaid reports related to the provision of related services, and internal records related to DOE employees’ leave status.
5. The types of data and information impacted for each individual varies from person to person. For example, not every individual’s SSN was impacted.

Additional Background from NYC Cyber Command:

1. Over the past several weeks, the global cybersecurity community has been responding to the disclosure of a “zero-day vulnerability” within a file-transfer software system called MOVEit. This is a vulnerability that was not previously known by the software company, Progress, or its customers. 

1. This vulnerability impacted customers around the world, including government entities such as the State of Maryland, the State of Illinois, and the United States Department of Energy.
2. As far as we know, this vulnerability allowed the threat actor to take files within the MOVEit application during a limited window of time. There is no indication that the threat actor attempted or was able to access other parts of the victims' networks.

1. As of now, no NYC Department of DOE (DOE) data has been published, nor has DOE been subject to a threat or ransom demand.
2. DOE was identified as having been impacted by this vulnerability because of a proactive investigation led by NYC Cyber Command and DOE. NYC Cyber Command and DOE have deployed additional resources to support this investigation, patch vulnerable systems, and remediate the vulnerability. There is no indication that this attack is ongoing.

 -- 

Nathaniel Styer

Press Secretary

New York City Public Schools

From: Communications <Communications@schools.nyc.gov>
Sent: Saturday, June 24, 2023 5:53:45 PM
Subject: Information Regarding Data Security Incident

Dear Staff: 

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

 

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included). 

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

 The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

 

Thank you, 

 

Emma Vadehra

Chief Operating Officer

New York City Department of Education

From: NYC Public Schools <noreply@schools.nyc.gov>
Date: June 25, 2023 at 1:29:05 PM EDT
Subject: Information Regarding Data Security Incident
Reply-To: NYC Public Schools <NoReply@schools.nyc.gov>

Dear Families:

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included).

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

Thank you,

Emma Vadehra

Chief Operating Officer

New York City Department of Education

 

 

 -- 

Nathaniel Styer

Press Secretary

New York City Public Schools

From: Communications <Communications@schools.nyc.gov>
Sent: Saturday, June 24, 2023 5:53:45 PM
Subject: Information Regarding Data Security Incident

Dear Staff: 

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

 

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included). 

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

 The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

 

Thank you, 

 

Emma Vadehra

Chief Operating Officer

New York City Department of Education

From: NYC Public Schools <noreply@schools.nyc.gov>
Date: June 25, 2023 at 1:29:05 PM EDT
Subject: Information Regarding Data Security Incident
Reply-To: NYC Public Schools <NoReply@schools.nyc.gov>

Dear Families:

We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.

We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included).

The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.

The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.

Thank you,

Emma Vadehra

Chief Operating Officer

New York City Department of Education