Brief description of diving:
The Minnesota Department of Education is among a growing list of organizations affected by a global data breach due to a cyber attack on MOVEit software, which is often used by government agencies and companies to transfer sensitive data files. The department announced Friday that it discovered a potential vulnerability in the file-sharing service on May 31 when a third-party vendor notified state officials of the issue. On the same day, the department discovered that 24 of its files on the MOVEit server had been accessed by an outside entity. After an initial investigation, the department said information containing about 95,000 names of students in foster care across the state was exposed in the breach. These accessed files also included information such as the students’ dates of birth and county of foster care placement.
Dive Insight:
The Minnesota Department of Education data breach appears to be the first time a state education agency has announced that its sensitive and personal student data was compromised after a cyber attack, said Julia Fallon, executive director of the State Association of Education Technology Directors.
While school districts — including Minneapolis Public Schools earlier this year — are constant targets for cyberattacks and data breaches, this latest vulnerability in the state department shows that higher levels of the education system can also fall victim to cyberattacks.
Other department information affected by the data breach included data on 124 students in the Perham school district who qualified for the Pandemic Electronic Transfer of Benefits, or P-EBT, 29 students who attended classes at Hennepin Technical College in Minneapolis and five students who rode a designated Minneapolis Public Schools bus route.
While no financial information was compromised, the department said it is actively working to notify affected individuals.
The department “takes data privacy very seriously. We understand that third parties illegally accessing private data can have negative consequences for those whose data is accessed,” officials said in a statement. With Minnesota IT Services, the department is working to add more “security measures to protect private data and prevent similar cases in the future.”
Ransomware group Clop has claimed responsibility for the MOVEit cyberattack in an attempt to steal user data from hundreds of organizations, with exploits on the service said to have been ongoing for at least four months. The list of victims feeling the effects of cyber attacks is expected to continue to grow.
This data breach further exposes how technology vendors working with the education sector must understand the unique and sensitive challenges of partnering with schools and districts that hold information about minors, Fallon said.
“Because of the nature of the data and how valuable it is, it’s something for those vendors to really honor their agreements and really be … careful,” Fallon said. “The seller has to play a role.”
Cybersecurity remains a top concern among office technology leaders for the sixth year in a row, according to a recent survey by the School Networking Consortium. The issue is also top of mind among tech leaders at the state level, Fallon added.
Comments are closed.