Minnesota Department of Education cyberattack: Over 95k students data breached

The Minnesota Department of Education (MDE) announced on Friday they were hit by a cybersecurity attack that contained information for thousands of students, including those placed in foster care. 

The department said they were alerted to a vulnerability in their MOVEit file transfer software on Wednesday, May 31. Later that day, an outside entity accessed 24 files with information for thousands of students. 

The initial investigation indicates the files included information for approximately 95,000 students placed in foster care including their names, date of birth, and which county they were placed. MDE said the files were transferred from the Minnesota Department of Human Services, and they don’t have contact information for those affected by the breach. 

The attack also included information on 124 students who qualified for COVID-19 benefits, 29 students taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who took a specific bus route with Minneapolis Public Schools. 

MDE said no financial information was obtained in the data breach but documents for some students taking PSEO classes contained high school and college transcripts with the last four digits of their social security number. 

There has been no ransomware demands and data has not been shared or posted online. Additionally, no virus or other malware was uploaded to the hardware systems, according to MDE. The FBI, Minnesota Bureau of Criminal Apprehension, and Office of the Legislative Auditor have been notified about this situation.

"MDE takes data privacy very seriously. We understand that third parties illegally accessing private data can have negative consequences for those whose data was accessed. Working with our MNIT partners, MDE is adding additional security measures to protect private data and prevent instances like this from happening in the future," the department said in a statement.