Dear Staff:
We have initial information to share about a recently identified security vulnerability in a third-party file-sharing software, MOVEit. The New York City Department of Education used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers. This vulnerability affected customers, including other government agencies, around the globe. Within hours of learning of the vulnerability, DOE had fully patched the software, working closely with NYC Cyber Command to remediate. We also took the server offline and are continuing to keep it offline out of an abundance of caution. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems.
We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included).
The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education. Our top priority is determining exactly which confidential information was exposed, and the specific impact for each affected individual. When that determination is made, we will begin preparing notifications to individuals whose confidential information was compromised. Along with the notification, individuals will be offered access to an identity monitoring service.
The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both NYPD and FBI as they investigate. Given that review and investigation are ongoing, we are limited in terms of additional details at this point. We will continue to work closely with all investigating agencies and will provide updates as needed. Please know that we are committed to taking all measures necessary to protect the personal information of our students and staff. If you have any questions, please email Communications@schools.nyc.gov. Thank you for your understanding and patience as we work to further address this situation.
Thank you,
Emma Vadehra
Chief Operating Officer
New York City Department of Education