Data breach at New York public schools. "Brushing" incidents with smartwatches. University of Manchester confirms it was the victim of a cyberattack.

Announcement

Join the Q2 Cybersecurity Analyst Call

We'd like to invite you to the Q2 Cybersecurity Analyst Call on Thursday, June 29th, 2023 at 2pm EST to take a look at exactly which developments and topics were the most important this quarter. Join our host, CSO, Chief Analyst, & Senior Fellow, Rick Howard, with N2K Networks President, Simone Petrella, and CISO of Centene, Alan Berry for an insightful discussion about industry events from this quarter that have made material impacts. This live event is typically a CyberWire Pro exclusive, but will be open to all readers and listeners! Be sure to submit questions and/or topics with your registration. Register now.

We'd like your feedback.

We're always looking for ways to improve your Pro experience to give you intelligence-driven news that saves you time and keeps you in the know on the latest developments in cybersecurity. Please share your feedback in our 2023 Audience Survey and you will have a chance to win a $100 Amazon gift card. Take the survey.

Summary

By the CyberWire staff

At a Glance.

Update: MOVEit breach of New York public schools.
Unsolicited, malicious smartwatches are being sent to US military members across the services.
University of Manchester confirms it was the victim of a cyberattack.

Update: MOVEit breach of New York public schools.

New York Public schools were among those affected by Cl0p’s MOVEit attacks, with nearly 45,000 students and staff having their personal information stolen. The Daily News reports that “Sensitive data about 45,000 New York City public school students — as well as information about staff and school service providers — were compromised in a worldwide cyberattack, city education officials said Friday, June 23rd.”

In a statement sent to News 12, the Bronx, the NYC Department of Education said. “The safety and security of our students and staff, including their personal information and data, is [sic] of the utmost importance for the New York City Department of Education. We recently learned of a security vulnerability in a third-party file-sharing software, MOVEit, which has impacted both private and government customers globally. Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected. Currently, we have no reason to believe there is any ongoing unauthorized access to DOE systems. We will provide impacted members of the DOE community with more information as soon as we are able.” Among the stolen data are social security numbers, names, dates of birth and student and employee IDs.

Unsolicited, malicious smartwatches are being sent to US military members across the services.

Infosecurity Magazine writes that US military members from all services have reported receiving unsolicited smartwatches which have been assessed to have malware and Wi-Fi auto-connect capabilities which allows them to connect to a user’s smartphone without prompting. “Officials have raised concerns that these products may be part of a tactic known as Brushing, which involves sending products, often counterfeit, to unsuspecting individuals in order to generate positive reviews in their name.” Service members who received these smartwatches are being ordered to not turn them on and report the instance immediately to their counterintelligence office. The smartwatches are thought to be able to obtain user data and saved files from the affected smartphone and potentially even banking information.

The brushing effort seems to be targeting service members from all departments of the armed forces. “Junior-enlisted members of the military don’t make a ton of money, so getting a free smartwatch in the mail would certainly be exciting for many,” Rick Holland, a cyber security executive and veteran, told CNN.

University of Manchester confirms it was the victim of a cyberattack.

The Record writes that the University of Manchester confirmed on Friday, June 23rd, that it had indeed been a victim of a cyber attack that resulted in the theft of current and former student information. Though the university hasn’t released exactly how much (or what kind of) information was stolen, it reports “Based on our investigations we believe that a small proportion of data has been copied that relates to some students, and some alumni.” BleepingComputer reported that this comes after the attackers had emailed students from the university claiming they had stolen 7TB of student information. BleepingComputer writes, ”The university said it's collaborating with relevant authorities to investigate the incident, including the Information Commissioner's Office, the National Cyber Security Centre (NCSC), the National Crime Agency, and other regulatory bodies.”

Selected Reading

UK cyberspies warn ransomware criminals targeting law firms (Register) Nation states will use you to get to your friends, says NCSC

A full timeline of the MOVEit cyber attack (Cyber Security Hub) An up-to-date timeline of the MOVEit cyber attack, its victims and its impact

NYC student data breached in MOVEit cyberattack (New York Daily News) Sensitive data about 45,000 New York City public school students were compromised in a worldwide cyberattack against the popular file-transfer software MOVEit, which New York public schools use to share documents and data internally and with third-party vendors

Data breach exposes sensitive information on NYC Public Schools’ students and staff (News 12 - The Bronx) Multiple schools in the Bronx and Brooklyn have been affected, along with DOE staff members as a result of the breach.

45,000 Affected by Department of Education Data Breach (Citizen) Police are investigating an online security breach affecting The Department of Education from last night, according to an article from CBS sourced from Samdesk. The data breach includes over 45,000 social security numbers, dates of birth, employee IDs, and student evaluations for thousands of students, staff and service providers. The suspect may have found a loop hole in a software called ‘Move It’ which is used to share documents. The stolen data has not been published, nor have the DOE received any ransom demands. The Department of Education will notify all affected people.

La. officials issue more safety steps to protect against MOVEit cyber breach (KSLA) GOHSEP announced that additional information is available to help Louisianans better protect themselves against identity theft in light of last week’s cybersecurity breach.

University of Manchester confirms data theft in recent cyberattack (BleepingComputer) The University of Manchester finally confirmed that attackers behind a cyberattack disclosed in early June had stolen data belonging to alumni and current students.

University of Manchester confirms ‘criminal entity’ stole current and former students’ data (Record) The University of Manchester confirmed on Friday that a cyber incident reported earlier this month was a criminal attack in which data relating to current and former students was stolen.

Multiple US Navy personnel say they've received potentially malicious smartwatches in the mail (CNN) The US Naval Criminal Investigative Service is investigating after multiple Navy personnel reported receiving unsolicited smartwatches in the mail that could be installed with data-stealing malicious software, an NCIS spokesperson told CNN on Friday.

US Military Personnel Warned of Malicious Smartwatches (Infosecurity Magazine) The smartwatches have Wi-Fi auto-connect features and possibly contain malware

City of Fort Worth Assessing Impact After Data Breach by Hacktivist Group (D Magazine) The city of Fort Worth becomes the latest North Texas city to be targeted by hackers. This time, the damage appears to be minimal.

American TikTok user data stored in China, video app admits (The Telegraph) Revelation comes after intense public scrutiny over national security fears