Minnesota Department of Education files, including some student data, were accessed as part of a large-scale and global cybersecurity attack on a file-transfer system, the state agency said Friday.

The hack by the Russian Cl0p ransomware syndicate exploited a program called MOVEit that is widely used by organizations to securely share files. The parent company of MOVEit's U.S. maker, Progress Software, alerted customers to the breach May 31 and issued a patch. But cybersecurity researchers say scores if not hundreds of companies may by then have had sensitive data quietly exfiltrated.

Initial data-theft victims also include the BBC, British Airways and Nova Scotia's government. The Minnesota Department of Education (MDE) said 24 of its files were affected.

According to MDE, the accessed files contained the names, dates of birth and counties of residence of 95,000 students placed in foster care throughout the state.

They also included information about:

  • 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT). That data included student name, date of birth and in some cases home addresses.
  • 29 students who were taking PSEO classes at Hennepin Technical College in Minneapolis. That data included student name, date of birth, address and high school and college transcript information containing the last four digits of the student's social security number.
  • The names of five students on one Minneapolis Public Schools bus route.

By the time MDE heard about the vulnerability of the MOVEit file-transfer service on May 31, the files had already been accessed, said MDE spokesman Kevin Burns. As soon as the vulnerability was identified, MDE and Minnesota IT Services took "immediate steps" to prevent any further unauthorized access and began investigating the impact of the breach.

No financial information was included in the breached files, but MDE is recommending that those who had their data accessed take precautions, including monitoring their credit reports. Agency staff is working to notify people whose data was accessed and letters have been sent to hundreds of families, Burns said.

No virus or other malware was uploaded to MDE's hardware systems and, as of Friday, none of the information had been posted online, Burns said.

"We took extraordinary lengths to ensure the files were secure ... and to put efforts into notification," Burns said. "We have been transparent and forthcoming and we feel we have an obligation to do that. People who trust us with data should expect nothing less."

Kendall Johnson, a spokesperson for Minnesota IT Services said Friday, "At this time, there's no indication that other agencies were impacted by instances of unauthorized access related to the MOVEit vulnerability."

According to a report by the Associated Press, the firm SecurityScorecard detected 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies. Jared Smith, a threat analyst with SecurityScorecard, said it wasn't possible to break down those agencies by country. It was not known how many vulnerable MOVEit servers were hacked.

The hackers were actively scanning for targets, penetrating them and stealing data at least as far back as March 29, said Smith.

Cl0p is among the world's most prolific cybercrime syndicates. This is not the first time it has breached a file-transfer program to gain access to data it could then use to extort companies. Other instances include GoAnywhere servers in early 2023 and Accellion File Transfer Appliance devices in 2020 and 2021.

In a joint advisory issued Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency and FBI said Cl0p "is estimated to have compromised more than 3,000 U.S.-based organizations and 8,000 global organizations."

"Due to the speed and ease [with which it] has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.''

Cl0p claims it does not extort governments, cities or police agencies, but cybersecurity experts say that's likely a tactic to try to avoid direct conflict with law enforcement and that the financially motivated gang can't be trusted to keep its promise to erase data stolen from those targets.

Staff writer Ryan Faircloth and The Associated Press contributed to this report.