MDE: Data server breached by global cyber-security attack

(ABC 6 News) – The Minnesota Department of Education (MDE) announced on Friday that one of its data servers experienced a breach as part of a global cyber-security attack.

MDE said the attack targeted the global software program, MOVEit, a file transfer service which is used by many companies and government agencies.

On May 31, Minnesota IT Services (MNIT) was informed by a third-party vendor of a potential vulnerability with MOVEit, according to MDE. That same day, MDE files on a MOVEit server were accessed by an outside entity. As soon as the vulnerability was identified, MNIT and MDE took immediate steps to prevent any further unauthorized access. Additional steps were taken to investigate and assess the impact of the breach, and to put additional security measures in place.

The initial investigation found that 24 MDE files were accessed. These files included data transferred to MDE from the Minnesota Department of Human Services (DHS) to meet state and federal reporting requirements, as well as files from two school districts (Minneapolis and Perham), and Hennepin Technical College.

These files contained information about approximately 95,000 names of students placed in foster care throughout the state, 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students who were taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who took a particular Minneapolis Public Schools bus route.

The files accessed relating to foster care students contained demographic data including the names, dates of birth and county of placement. These files were transferred to MDE from the Minnesota Department of Human Services under a data sharing agreement to meet state and federal reporting requirements. MDE does not have contact information for these individuals.

Information accessed related to the P-EBT files contained demographic data including student name, date of birth, and in some instances home addresses and parent/guardian name(s). The data related to PSEO participants included student name, date of birth, addresses, and in some instances parent/guardian name(s), as well as, high school and college transcript information containing the last four digits of the student’s social security number. The files related to the Minneapolis Public Schools bus route contained the names of five children, without further identifying or contact information.

No financial information was included in any of the files in this data breach. MDE is currently working to notify those individuals whose data was accessed. To date there have been no ransom demands nor is MDE aware that the data has been shared or posted online. Additionally, no virus or other malware was uploaded to MDE’s hardware systems.

MDE and its partners notified the FBI, Minnesota Bureau of Criminal Apprehension and Office of the Legislative Auditor about this situation.

MDE recommends individuals who may have been impacted take precautionary measures to protect themselves, such as accessing and moni­toring personal credit reports. Under federal law, a person has the right to receive, at any request, a free copy of their credit report every 12 months from each of the three consumer credit reporting companies.

A credit report can provide information regarding those who have received information about a person’s credit history within a certain period of time.

MDE is adding additional security measures to protect private data and prevent instances like this from happening in the future.