Cyber Incident Victim: Minnesota Department of Education

On May 31, 2023, the Minnesota Department of Education (MDE) was informed by a third-party vendor of a potential vulnerability associated with the MOVEit file transfer service. This notification was part of a wider, global cybersecurity incident targeting the MOVEit software, a managed file transfer product used by numerous companies and government agencies. On that same day, an investigation confirmed that MDE files residing on a MOVEit server had been accessed by an outside entity. The immediate response involved collaboration between MDE and Minnesota IT Services (MNIT), who took prompt action to prevent any further unauthorized access and to ensure the safety and security of the department's data. The server was secured, and additional steps were initiated to investigate the full scope of the breach and implement enhanced security measures.

The incident was part of a broader zero-day attack exploiting a vulnerability in MOVEit Transfer and MOVEit Cloud software, tracked as CVE-2023-34362 and described as an SQL injection flaw. This vulnerability had been widely exploited since late May 2023, though evidence indicated cybercriminals may have been testing it as early as 2021. The attacks were attributed to a cybercrime group known for the Cl0p ransomware operation. This group claimed to have compromised hundreds of organizations and issued a deadline for victims to make contact to prevent the public release of stolen data. Notably, the group publicly stated it would not attempt to extort government entities, including cities and law enforcement agencies, claiming to have erased their data.

The initial investigation by MDE determined that precisely 24 files were accessed as a direct result of this global vulnerability. The compromised data was not generated by MDE itself but was received from other entities under data-sharing agreements. The files contained information transferred to MDE from the Minnesota Department of Human Services (DHS) to meet state and federal reporting requirements. Additional affected files originated from two school districts, Minneapolis and Perham, and from Hennepin Technical College.

The bulk of the impacted individuals were connected to the foster care system. The files from DHS contained the demographic information of approximately 95,000 students placed in foster care throughout the state of Minnesota. The data elements accessed for these individuals included names, dates of birth, and their county of placement. MDE noted it did not possess contact information for these individuals.

Beyond the foster care data, the breach impacted smaller, distinct groups of students. Files pertaining to 124 students in the Perham School District who qualified for the Pandemic Electronic Benefits Transfer (P-EBT) program were accessed. These files contained demographic data including student name, date of birth, and in some instances, home addresses and parent or guardian names. Information on 29 students enrolled in Postsecondary Enrollment Options (PSEO) classes at Hennepin Technical College was also compromised. This dataset was more extensive, including student name, date of birth, addresses, and in some cases parent or guardian names. Crucially, it also contained high school and college transcript information that included the last four digits of the students' social security numbers. Finally, a file related to a Minneapolis Public Schools bus route contained the names of five children, with no further identifying or contact information included. MDE confirmed that no financial information, such as full credit card numbers or bank account details, was present in any of the accessed files.

In its public communications, MDE stated that to date, no ransom demands had been received. The department also reported no awareness that the stolen data had been shared or posted online. Furthermore, the investigation confirmed that no virus or other malware was uploaded to MDE’s own hardware systems during the incident; the compromise was limited to the exploitation of the third-party MOVEit software's vulnerability.

The response to the breach involved multiple coordinated actions. MDE worked with its partners to formally notify several law enforcement and oversight bodies, including the Federal Bureau of Investigation (FBI), the Minnesota Bureau of Criminal Apprehension, and the Office of the Legislative Auditor. A dedicated webpage was established to serve as a central hub for information and updates regarding the incident. MDE also began the process of directly notifying the individuals whose data was accessed, to the extent that contact information was available.

While no financial data was taken, MDE recommended precautionary measures for those potentially impacted, such as monitoring personal credit reports. The department provided information on the legally mandated free annual credit report available from the three major consumer credit reporting companies. The overarching response emphasized a commitment to data privacy and a recognition of the negative consequences that can arise from such illegal access of private information. In collaboration with MNIT, MDE committed to adding further security measures to protect private data and prevent similar incidents from occurring in the future. The investigation into the full extent of the incident was noted as ongoing by the involved parties.