The Minnesota Department of Education announced Friday that some of its files were hacked as part of an international data breach.
The hack targeted a file transfer software called MOVEit, which many companies around the world use for the secure transfer of large files. On June 7, the FBI and the federal Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory about the attack.
According to cybersecurity firm Censys, over 3,000 hosts may have been exposed, including Fortune 500 companies and state and federal agencies. The BBC, British Airways, and the government of Nova Scotia all had data stolen in the attack. So did the Minnesota Department of Education.
The FBI and CISA named a Russian-speaking ransomware gang as responsible for the attack. The Minnesota Department of Education says it has not received a demand for ransom.
On Friday, the department reported that it had moved swiftly to address the situation. “We found out about this breach and we reacted to the breach almost simultaneously,” said Minnesota Department of Education communications director Kevin Burns. “We took immediate action as soon as we found out that there was a vulnerability. We closed the vulnerability using the tools that the company provided, and we immediately began planning how to analyze the data, how to notify the people that were impacted, and how to do this as quickly as possible.”
This incident marks the fourth time this school year that a Minnesota educational institution has been affected by a data breach. Three of the state’s largest school districts—Elk River, Minneapolis, and Rochester—all experienced ransomware attacks. The Minneapolis Public Schools hack contained 189,000 files that included sensitive information like detailed sexual assault reports, psychological reports, and school security maps. Many Minneapolis Public Schools families learned about the exposure of sensitive files through investigative reporting from national outlets like NBC News and The 74.
In its Friday morning announcement, the Minnesota Department of Education says 24 agency files were stolen in the attack. Of those, the agency says four contained personal data. Those files include:
- 95,000 names, dates of birth, and placement county of students in foster care
- 124 names and dates of birth for students in Perham–Dent Public Schools who qualified for pandemic nutrition benefits (P-EBT). In some instances, this data also included home addresses and names of parents or guardians.
- 29 names, dates of birth, and addresses for students taking Post-Secondary Enrollment Options courses at Hennepin Technical College. In some cases, this data also included parent/guardian names. In some instances it also included transcript information that included the last four digits of students’ social security numbers.
- 5 names of students who take a particular Minneapolis Public Schools bus route.
Brett Callow, a threat analyst for cybersecurity firm Emsisoft, said that the MOVEit breach marks the third time this ransomware gang has hacked a file-transfer platform. “This enables them to steal data from a large number of organizations in one fell swoop,” he said.
According to the advisory from the FBI and Cybersecurity and Infrastructure Security Agency, the MOVEit breach began on May 27. The Minnesota Department of Education says its files were accessed May 31—the same day that the state’s IT department was informed of a potential MOVEit vulnerability. The two departments “took immediate steps to prevent any further unauthorized access and to ensure the safety and security of their data,” according to the education department’s press release.
A message from the ransomware gang to affected organizations, obtained by Sahan Journal, specifically assures government agencies that their data is safe. “If you are a government, city, or police service, do not worry, we erased all your data,” the message said. “You do not need to contact us. We have no interest to expose such information.”
Callow viewed that assurance with skepticism. “I wouldn’t believe them for a minute,” he said. Even if the ransomware gang does not attempt to extort government bodies, he said, they can still sell the data or use it for phishing schemes.
The Minnesota Department of Education says that no financial information was accessed in this hack. Still, the agency advises people who may have been affected to take precautionary measures, such as monitoring credit reports.
The Minnesota Department of Education says it is in the process of contacting people affected by the stolen files regarding Perham–Dent Public Schools, Hennepin Technical College, and Minneapolis Public Schools. The agency reports it does not have contact information that it could use to notify the 95,000 foster children.
The agency is providing information on its website and through the media, as required by state law. You can find more information on the department’s data breach web page. That site includes steps people can take to protect themselves and an email address to contact if you think you may have been affected.