Minnesota Department of Education impacted by global data breach
The state’s education department announced Friday that one of its servers was affected by a global cybersecurity attack last week.
According to the Minnesota Department of Education (MDE), the breach targeted MOVEit software, a popular software used by many companies and government agencies.
The software company identified a vulnerability in the MOVEit software on May 31, according to MDE.
“The software company notified vendors, which notified us as a customer,” said Kevin Burns, the MDE spokesperson. “Almost simultaneously, that very day, people around the globe and the Minnesota Department of Education were hacked.”
Minnesota IT Services (MNIT) learned of the breach on May 31, the same day MDE files on a MOVEit server were accessed. The departments say both MDE and MNIT took immediate steps to protect their data, and officials started to investigate and assess the impact of the breach.
Burns explained the software company provided a fix for the problem, which the state used. He said they’ve performed tests every day to ensure it’s working.
“MDE takes data privacy very seriously. We understand that third parties illegally accessing private data can have negative consequences for those whose data was accessed,” the department said in a statement announcing the breach. “Working with our MNIT partners, MDE is adding additional security measures to protect private data and prevent instances like this from happening in the future.”
MDE says an initial investigation found that 24 of its files were accessed during the data breach. Those files included data that was transferred from the Minnesota Department of Human Services to MDE due to state and federal reporting requirements, as well as files from the Minneapolis and Perham school districts and Hennepin Technical College.
The department says the accessed files had the names of around 95,000 students placed in foster care around the state, 124 Perham students who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students who were taking post-secondary classes at Hennepin Technical College in Minneapolis and five students who were on a specific Minneapolis Public Schools bus route.
The information on the foster care students included demographic data, dates of birth and county of placement; the P-EBT files had demographic data, birth dates and some addresses and names of parents or guardians; the post-secondary data included similar data, plus some high school and college transcript information that contained the last four digits of students’ social security numbers; and the MPS bus route data contained only the names of five children but no other information, MDE says.
MDE is working to contact those affected by the attack.
“We’ve already mailed out more than 150 letters,” said Burns. “Some of these people were born literally in the 1940’s so this goes back many, many years.”
MDE added that no financial information was included in any of the files affected by the data breach and the department is working to notify anyone whose data was accessed. The department added that it hasn’t received any ransom demands, seen the data shared anywhere online or found any virus or other malware since the breach.
However, officials still recommend anyone who may have been impacted by the breach to take precautionary measures, such as monitoring personal credit reports.
The department also has more information and resources for anyone who might’ve been affected online.
The FBI, Minnesota Bureau of Criminal Apprehension and Office of the Legislative Auditor have all been notified of the breach, according to MDE.
“The FBI is aware of the incident. Due to an ongoing investigation, we decline to comment further at this time,” said an FBI spokesperson.
“The Department of Education was a victim of a crime,” said Mark Lanterman, the chief technology officer of Computer Forensic Services. “They identified they had a problem, they conducted what appears to be a very thorough analysis of what occurred and then they have notified the proper authorities including the state’s Legislative Auditor.”
He explained bad actors are typically motivated by money or ego. Other times, they’re doing an attack for practice.
“An organization is only as secure as their weakest link and sometimes that weakest link can be a vendor or a vendor’s product,” said Lanterman. “It’s easier to find one flaw than it is to have perfect security.”
He suggests those affected by the attack update their passwords, visit MDE’s website, and put a freeze on their and their children’s credit reports.