back to article UK telco watchdog Ofcom, Minnesota Dept of Ed named as latest MOVEit victims

Two more organizations hit in the mass exploitation of the MOVEit file-transfer tool have been named – the Minnesota Department of Education in the US, and the UK's telco regulator Ofcom – just days after security researchers discovered additional flaws in Progress Software's buggy suite. Ofcom disclosed this week it is among …

  1. Korev Silver badge
    FAIL

    Information therein contained about "95,000 names of students placed in foster care throughout the state, 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students who were taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who took a particular Minneapolis Public Schools bus route."

    Why on all earth were these data just left lying around on a server? And also, there is no mention of encryption...

    1. Andy The Hat Silver badge

      "MOVEit is a file transfer tool used by enterprises, as well as small and medium-sized businesses (SMB), to share sensitive data, such as personally identifiable information, banking data, health information, and similar, in a secure manner. That helps businesses prevent incidents that can lead to identity theft, wire fraud, and more."

      By definition, organisations using this tool expect this information to be end-to-end secure and the data is supposedly encrypted en-route. No "lying around on a server" is suggested.

    2. ChoHag Silver badge
      Pint

      If you hear about a car accident, you will likely feel sympathy for all involved. When you learn that some of those weren't wearing seat belts or were drinking it colours your feelings somewhat.

      That is how I feel about the breeches like this. What kind of bloody-minded incompetence, from engineering to management to board and beyond, allowed that to happen, and to happen so disastrously? Except for the final outcome it makes Boeing's culture look positively mature.

      "Do not operate this equipment while under the influence of incompetence or hubris"

      1. katrinab Silver badge
        Megaphone

        These sorts of services are advertised as being more secure than sending email attachments. I was never convinced.

        Firstly, packet sniffing of emails in transit is not something that generally happens, people prefer to attack the endpoints, or the email server.

        Secondly, most emails are encrypted in transit these days.

        Thirdly, it just increases the attack surface, because if you can get access to email by whatever means, you can also get access to the file transfer service, and you add to that any additional vulnerabilities added by the file transfer service, such as this example.

  2. Kevin McMurtrie Silver badge
    Facepalm

    If only there was some kind of list that helped organizations research the most common security coding mistakes.

    1. Roland6 Silver badge

      Having a list of coding mistakes is only a starting point, using that list to guide evaluation of actual code requires much more creative (and probably twisted) intelligence.

  3. Panicnow

    Will OFCOM fine OFCOM?

    Or will they go after MOVEiT?

    There will be a great precedent set, either way.

    1. Anonymous Coward
      Anonymous Coward

      Re: Will OFCOM fine OFCOM?

      > Will OFCOM fine OFCOM?

      I think you mean will ICO fine OFCOM?

      In which case, no chance, ICO don't want to fine anyone anymore, they want to "help" organisations learn from their mistakes (even if the Org is so stupid they need to make many mistakes, aka leaks, in the course of such "learning").

      ICO is the modern day chocolate teapot.

  4. Abominator

    It's all in the cloud bitches.

    Everything will be just great in the cloud.

  5. Cav Bronze badge

    "MDE: 'No financial info stolen' – so that's all right then" Why lie? There was no suggestion that the victim thought is was alright, or that they dismissed the severity of the incident.

  6. MrGreen

    OFCOM - The government’s propaganda non-regulator.

  7. david 12 Silver badge

    knew about the bug as far back as 2021.

    In March, Latitude Financial (GEC spinoff) lost a whole bunch of similar stuff (historical data files) through a "security breach at a software provider" through an intermediate company . They've never released details. But for sure it looks like the kind of MoveIt breach through a Payroll company being reported here and elsewhere.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like