Minnesota Students’ Data Compromised Amidst Global MOVEit Software Vulnerability

• Minnesota Education Department Data Breach: The Minnesota Department of Education suffered a data breach impacting approximately 95,000 students, due to a cyber attack targeting MOVEit software. Swift actions were taken to secure the data and prevent further unauthorized access, highlighting the urgency of robust cybersecurity measures in protecting sensitive information.
• MOVEit Software Vulnerability: A critical SQL injection vulnerability was uncovered in MOVEit Transfer, which can potentially allow attackers to manipulate databases through malicious SQL code. This points to the importance of regularly patching and updating software, especially those handling sensitive data, to mitigate security risks.

MINNEAPOLIS, MN – The Minnesota Department of Education (MDE) has reported a significant data breach affecting one of its servers. The breach is linked to a worldwide cyber-security attack on the MOVEit software, which is widely used by various companies and government agencies for transferring files.

The breach was identified on May 31 when Minnesota IT Services (MNIT) was alerted by a third-party vendor about a possible vulnerability in the MOVEit software. The MDE discovered unauthorized access to its files on a MOVEit server on the same day.

MNIT and MDE acted promptly to secure the data and prevent further unauthorized access. An investigation was launched to determine the extent of the breach, and additional security measures were put into place.

Preliminary findings reveal that 24 MDE files were compromised. These files contained data pertaining to approximately 95,000 students in foster care across the state, 124 students from Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who used a specific Minneapolis Public Schools bus route.

The compromised data for foster care students included names, dates of birth, and counties of placement. The P-EBT and PSEO files contained more detailed information such as names, dates of birth, home addresses, and in some cases, names of parents or guardians. The PSEO files also included partial social security numbers. The files concerning the Minneapolis Public Schools bus route contained only the names of the five children involved.

MDE has confirmed that no financial data was compromised. As of now, there have been no ransom demands, and MDE has not found any evidence of the data being shared or posted online. No viruses or malware were uploaded to MDE’s systems.

The FBI, Minnesota Bureau of Criminal Apprehension, and Office of the Legislative Auditor have been notified of the breach.

While financial information was not accessed, MDE recommends that individuals potentially affected by this breach take precautions to protect themselves. This includes monitoring credit reports, which can be obtained for free once every 12 months from each of the three major consumer credit reporting companies. Credit reports can be requested at www.annualcreditreport.com or by calling 1-877-322-8228.

MDE emphasizes its commitment to data privacy. “We understand that third parties illegally accessing private data can have negative consequences for those whose data was accessed. Working with our MNIT partners, MDE is adding additional security measures to protect private data and prevent instances like this from happening in the future,” said an MDE spokesperson.

For more information, visit the MDE Data Breach webpage dedicated to this incident.

Rapid7, a cybersecurity firm, recently uncovered a critical SQL injection vulnerability in the MoveIT Transfer software, affecting versions from 2018 through 2021.03. The vulnerability has been designated as CVE-2021-3580 and has a severity rating of 9.8 out of 10. It’s worth noting that this vulnerability is currently being exploited in the wild. Users are strongly urged to update to the latest version, 2021.04, or apply the hotfix provided by Progress, the software’s developer, to mitigate the associated risks.