[RELEASE] MDE Affected by Global Data Breach

Having trouble viewing this email? View it as a Web page.

department of education

News Release

Contact: Kevin Burns



For Immediate Release

June 9, 2023

MDE Affected by Global Data Breach

Incident is part of international attack on third-party data transfer software

MINNEAPOLIS, MN – The Minnesota Department of Education today announced one of its data servers experienced a data breach as part of a global cyber-security attack targeting the MOVEit software. MOVEit is a global software used by many companies and government agencies.

On Wednesday, May 31, Minnesota IT Services (MNIT) was informed by a third-party vendor of a potential vulnerability with their file transfer service, MOVEit. That same day, MDE files on a MOVEit server were accessed by an outside entity. As soon as the vulnerability was identified, MNIT and MDE took immediate steps to prevent any further unauthorized access and to ensure the safety and security of their data. Additional steps were taken to investigate and assess the impact of the breach, and to put additional security measures in place.

The initial investigation found that 24 MDE files were accessed as a result of the global vulnerability. These files included data transferred to MDE from the Minnesota Department of Human Services (DHS) to meet state and federal reporting requirements, as well as files from two school districts (Minneapolis and Perham), and Hennepin Technical College.

These files contained information about approximately 95,000 names of students placed in foster care throughout the state, 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students who were taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who took a particular Minneapolis Public Schools bus route.

The files accessed relating to foster care students contained demographic data including the names, dates of birth and county of placement. These files were transferred to MDE from the Minnesota Department of Human Services under a data sharing agreement to meet state and federal reporting requirements. MDE does not have contact information for these individuals.

Information accessed related to the P-EBT files contained demographic data including student name, date of birth, and in some instances home addresses and parent/guardian name(s). The data related to PSEO participants included student name, date of birth, addresses, and in some instances parent/guardian name(s), as well as, high school and college transcript information containing the last four digits of the student’s social security number. The files related to the Minneapolis Public Schools bus route contained the names of five children, without further identifying or contact information.

No financial information was included in any of the files in this data breach. MDE is currently working to notify those individuals whose data was accessed. To date there have been no ransom demands nor is MDE aware that the data has been shared or posted online. Additionally, no virus or other malware was uploaded to MDE’s hardware systems. For additional information or information about how to access the report created by MDE in response to this incident, visit the MDE Data Breach webpage set up in response to this attack.

MDE and its partners notified the FBI, Minnesota Bureau of Criminal Apprehension and Office of the Legislative Auditor about this situation.

Though no financial information was accessed, MDE recommends individuals who may have been impacted take precautionary measures to protect themselves, such as accessing and moni­toring your personal credit reports. Under federal law, you have the right to receive, at your request, a free copy of your credit report every 12 months from each of the three consumer credit reporting companies. A credit report can provide information regarding those who have received information about your credit history within a certain period of time. You may request a free credit report online at www.annualcreditreport.com or by telephone at 1-877-322-8228.

MDE takes data privacy very seriously. We understand that third parties illegally accessing private data can have negative consequences for those whose data was accessed. Working with our MNIT partners, MDE is adding additional security measures to protect private data and prevent instances like this from happening in the future.