October 3, 2023

Threat actors broke into the NYC DOE’s MOVEit Transfer server and stole documents containing the personal information of up to 45,000 students.

After the MOVEit developer disclosed the exploited vulnerability (CVE-2023-34362), NYC DOE patched the servers, but attackers were already using the bug as a zero-day before security updates were available.

After the breach was discovered, the affected server was taken offline, and the NYC DOE is working with the NYC Cyber Command to address the incident.


As per the investigation, which revealed that certain DOE files were affected. The investigation is ongoing and the preliminary results, indicating that approximately 45,000 students, in addition to DOE staff and related service providers, were affected.

Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers.

On June 15, the Clop ransomware gang began extorting organizations affected by MOVEit data theft attacks by publicly listing their names on Clop’s dark web data leak site.

Shell, the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, UnitedHealthcare Student Resources (UHSR), and Landal Greenparks are just a few of the companies that have confirmed that they were affected.


Other victims who have already disclosed breaches related to the MOVEit Transfer attacks include the US states of Missouri and Illinois, Zellis, Ofcam, the government of Nova Scotia, the American Board of Internal Medicine, and Extreme Networks.

The US CISA has revealed that several US federal agencies have also been compromised and two US Department of Energy (DOE) entities.

Leave a Reply

%d bloggers like this: