A hacker has stolen the personal details of over 500,000 San Diego Unified School District staff and students; the district revealed in a breach notice posted on its website on Friday, before the Christmas holiday.
The breach occurred because the attacker gained access to staff credentials via a tactic known as phishing — sending authentic-looking emails that redirect users to fake login pages were attackers collect login credentials.
The attack didn’t go unnoticed. Some staff reported the funny-looking emails to IT staff, who investigated and eventually discovered the breach in October this year.
District officials said the hacker had access to its network between January 2018 and November 1, 2018, but that he stole student and staff data going back to the 2008-2009 school year.
In an email sent to affected victims, district officials said they allowed the hacker to operate after their discovery on purpose.
“It was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities,” the district said in its letter. “We are notifying any potential victims now because that phase of the investigation is over. However, our full investigation continues.”
Their efforts weren’t in vain. District officials said that San Diego Unified Police and its IT staff identified the hacker and reset all compromised accounts to prevent any future access to its network. It is believed the hacker gained access to over 50 district employees’ accounts.
The hacker used access to this account to collect information on both students and staff. According to the San Diego Unified School District, the following information was taken during the eleven months the hacker had access to its network:
- Student and selected staff personal identifying information, to include: first and last name, date of birth, mailing address, home address, telephone number;
- Student enrollment information, to include: schedule, discipline incident information, health information, school(s) of attendance, transfer information, legal notices on file, attendance data;
- Student and selected staff Social Security Number and/or State Student ID Number
- Student and staff parent, guardian and emergency contact personal identifying information, to include: first and last name, phone numbers, address (if provided), email address, employer information;
- Selected staff benefits information, to include: health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information;
- Selected staff payroll and compensation information, to include: viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information;
“Regardless of whether or not you received a notification, we still recommend that you contact credit reporting agencies to notify them of the breach of your information,” officials said.
“You can place an identity theft/fraud alert, get credit freeze information for your state, or order a free credit report through any of the three credit reporting agencies. More information can be found here.”