The Minnesota Department of Education (MDE) has confirmed that one of its data servers experienced a data breach as part of a global cybersecurity attack targeting MOVEit software.
MOVEit is a global software used by many companies and government agencies that has become a widely exploited attack vector. Federal cybersecurity authorities said last week that several Federal agencies have been victims of intrusions affecting their MOVEit applications.
Late last month Minnesota IT Services (MNIT) was informed by a third-party vendor of a potential vulnerability with their MOVEit file transfer service. On the same day, MDE files on a MOVEit server were accessed by an outside entity. The department further noted that as soon as the vulnerability was identified, MNIT and MDE took immediate steps to prevent any further unauthorized access and to ensure the safety and security of their data. Additional steps were taken to investigate and assess the impact of the breach, and to put more security measures in place.
According to the initial investigation, 24 MDE files were accessed as a result of the global vulnerability. The state said these files included data transferred to MDE from the Minnesota Department of Human Services (DHS) to meet state and Federal reporting requirements, as well as files from two school districts (Minneapolis and Perham), and Hennepin Technical College.
In terms of data compromised, the files in question contained information approximately 95,000 names of students placed in foster care throughout the state, 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students who were taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who took a particular Minneapolis Public Schools bus route.
The files accessed relating to foster care students contained demographic data including the names, dates of birth, and county of placement. These files were transferred to MDE from the Minnesota Department of Human Services under a data sharing agreement to meet state and Federal reporting requirements.
MDE further explained that information accessed related to the P-EBT files contained demographic data including student name, date of birth, and in some instances home addresses and parent/guardian name(s). The data related to PSEO participants included student name, date of birth, addresses, and in some instances parent/guardian name(s), as well as, high school and college transcript information containing the last four digits of the student’s social security number. The files related to the Minneapolis Public Schools bus route contained the names of five children, without further identifying or contact information.
According to current investigation findings, no financial information was included in any of the files in the data breach. MDE said it is currently working to notify those individuals whose data was accessed. MDE also confirmed that there have been no ransom demands made to date. Additionally, MDE is not aware that the data has been shared or posted online. The department further explained that no virus or other malware was uploaded to its hardware systems.
MDE and its partners said they have notified the FBI, Minnesota Bureau of Criminal Apprehension, and Office of the Legislative Auditor about the breach.