Foster advocates critical of MN Department of Education’s handling of data breach

Foster advocates critical of MN Department of Education’s handling of data breach

Foster advocates critical of MN Department of Education’s handling of data breach

The Minnesota Department of Education (MDE) is facing criticism for its handling of a data breach on May 31. During the cyberattack, information about 95,000 students placed in foster care statewide was accessed.

“I was shocked but not surprised,” said Hoang Murphy, the executive director of Foster Advocates. “This was preventable.”

According to Murphy, his team met with MDE in March to express concerns after a data breach hit Minneapolis Public Schools in February.

“We met with the Department and said you’re probably next, and there are huge files and vulnerabilities that you are needing to protect with fosters,” said Murphy.

His frustration grew when MDE was hit by the cyberattack at the end of May.

“Professionally sure, but it’s also deeply personal,” said Murphy. “I was in Minnesota’s foster care system. My data is likely in this data set.”

According to the MDE, the data accessed included names, dates of birth, and county of placement. The agency said in a press release the files were transferred to MDE from the Minnesota Department of Human Services to meet state and federal reporting requirements.

The state uses software called MOVEit to transfer files, which the attackers targeted. Major corporations, organizations, and governments, including the BBC, British Airways, and the Nova Scotia government were also hit in the attack. According to the Minnesota Department of Commerce, it’s attributed to the Russian hacker group Clop, which exploited a security vulnerability in the file transfer software.

“We immediately shut down the server, implemented the fix the company provided to us, and began assessing what data was accessed and who was involved and how we need to notify these people,” said Kevin Burns, the spokesperson for MDE, during an interview on June 9.

In an update on Friday, Burns told 5 EYEWITNESS NEWS the server has remained offline since the attack and will remain offline until further notice.

According to Burns, the company has discovered two additional vulnerabilities since the initial incident and has provided MDE and MNIT with fixes. He added there haven’t been any ransom demands, further attacks, nor has the data been posted anywhere.

The Minnesota Department of Human Services said, “We must always be on guard to protect sensitive information – especially about children. We’re grateful that our partners at the Department of Education and MNIT acted quickly when they became aware of this incident. Anyone who is concerned their data may have been exposed should reach out to the Department of Education through their website.”

“You can’t un-ring a bell so this information can’t be called back,” said Murphy, who worries this breach could put foster children in an even more vulnerable position. “Fosters are already at an incredibly high risk of identity theft.”

Murphy explained there might also be anxiety the personal information accessed could lead to sensitive placement details being discovered, such as the reason why a child was moved into foster care.

“Even if that data is not publicly available, the fear of it being released and the isolation from that now being called out and of being identified as being in foster care is deeply harmful,” said Murphy. “I think it’s really important that the department, the state does not diminish that harm and fully acknowledges it.”

He encourages those who are affected to freeze their credit, get credit monitoring, and speak to their bank.

“Just assume your data was breached,” said Murphy. “It’s better and safer for you to make that assumption and then take the steps necessary to protect it.”

MDE confirmed it met with Foster Advocates earlier this spring and discussed cyber security. Spokesperson Kevin Burns said, “MDE and our MNIT partners take the protection and security of all data very seriously and this remains one of our highest priorities.”

The Minnesota Attorney General’s Office recommends consumers affected by the breach call one of three major credit bureaus –   Experian, Equifax, or TransUnion – to place a fraud alert on their credit report, which will remain for 90 days.

Foster advocates critical of MN Dept. of Education’s handling of data breach

Foster advocates critical of MN Dept. of Education's handling of data breach