11/6/2023 0 Comments Illuminate education breachAs soon as the e-discovery firm provided us with a preliminary assessment on June 23, 2023, we provided information to the public and emailed both staff and families. Once our internal investigation determined that DOE files were accessed without authorization, we immediately began working with a leading e-discovery firm to analyze the scope of the incident. Why weren’t people made aware of the incident sooner? Visit the DOE’s Data Privacy and Security Policies page for more information about how the DOE protects information. Unfortunately, these privacy and data security measures could not have prevented the MOVEit incident. In addition, all DOE employees take data privacy training on an annual basis. These include encrypting data in transit and at rest, using multi-factor authentication, regularly conducting internal testing, and implementing enhancements to ensure our applications and infrastructure remain protected. The DOE complies with all privacy laws, including New York State Education Law 2-d, and has strong data security processes and systems in place. The DOE had no warnings about this vulnerability until MOVEit announced it. A zero-day vulnerability is when no one, not even the software developer, knows about the flaw. This incident was the result of what is called a “zero-day” vulnerability in the MOVEit software. Is there anything DOE could have done to prevent this data security incident? It remains offline out of an abundance of caution. We took the DOE server hosting the MOVEit software offline. MOVEit is software the DOE used to transfer files internally and to and from vendors. What is MOVEit? What did DOE use MOVEit for? The FBI is investigating the broader MOVEit breach, and the DOE is cooperating with the investigation. The DOE is one of numerous government agencies and private companies around the globe to be impacted by this incident. Once our internal investigation determined that DOE files were accessed without authorization, we immediately began working with a leading e-discovery firm to analyze the magnitude and scope of the incident. ![]() ![]() No other parts of the DOE network were accessed. Our investigation also confirmed that the files were copied, but not deleted or edited. The types of files that were accessed include student evaluations/related services progress reports, Medicaid reports related to the provision of related services, and internal records related to DOE employees’ leave status. The DOE fully patched the software within hours of learning about the vulnerability.Īn internal investigation determined that approximately 19,000 unique DOE files were copied on as a result of the vulnerability. There were no warnings about this vulnerability until MOVEit announced it. ![]() DOE used MOVEit to transfer files internally and to and from vendors. On June 1, 2023, the DOE was notified of a technical vulnerability in MOVEit software. Update on MOVEit Data Incident (2023) What happened?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |