A statement from the San Diego Unified School District on Friday revealed that unauthorized access was achieved by a simple phishing campaign which compromised 50 staff log-ins back in January.
It was only 10 months later that IT staff detected the intrusion, with the threat finally eliminated on November 1.
Although GDPR regulators require 72-hour mandatory notifications, in the US police often request a delay to give them time to investigate and possibly apprehend the suspect.
An individual has apparently been identified and all stolen credentials are now useless, but the damage has arguably already been done.
Breached data includes: first and last name; date of birth; mailing and home address; phone number; student enrolment info; Social Security and/or State Student ID numbers; contact information on parents, guardians and emergency contacts; and staff benefits and payroll info including routing and account number, tax info, and salary info.
Data is said to go as far back as the 2008-9 school year.
There’s plenty in there for financially motivated cyber-criminals to monetize, not least the Social Security numbers of students.
Over one million US children fell victim to identity fraud in 2017, resulting in losses of $2.6bn, according to Javelin Strategy & Research. It’s thought that because they have limited financial records on file, children offer fraudsters a bigger opportunity to open fake accounts and the like in their name.
The case also highlights the continued threat from phishing: it featured in 93% of all data breaches analyzed by Verizon last year.