- San Diego Unified School District fell victim to a phishing attack, which breached the personal data, including health information, of more than 500,000 students and staff.
The hacker gained access to staff credentials using a targeted phishing attack that used emails that appeared to be authentic, but redirected users to fake login pages where hackers collected the credentials, officials explained.
According to officials, hackers had access to the network for nearly a year between January 2018 and November 2018. However, they stole the data from as far back as the 2008-2009 school year. The breach was discovered in October 2018, but the hackers were allowed to remain on the system, while officials fully investigated the incident.
“It was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities,” officials said in a statement. “We are notifying any potential victims now because that phase of the investigation is over. However, our full investigation continues.”
The successful investigation, completed in cooperation with the San Diego Unified Police, identified the hacker and reset all compromised accounts. Officials said they believe the hacker gained access to over 50 district employee accounts.
During the 11-month breach, the hacker gained access to a trove of personal data including student and staff names, dates of birth, Social Security numbers, mailing and home addresses, phone numbers, health information, legal notices, and much more.
In fact, the hacker also obtained selected staff benefits, such as health benefits enrollment details, beneficiary identity information, dependent identities, and savings or flexible spending account data. Some staff payroll and compensation data were also breached.
“All staff members whose accounts were compromised had the security on their accounts reset immediately upon discovery,” officials said in a statement. “Additional data security measures have been implemented to help prevent these types of occurrences from happening in the future.”
“All individuals affected by the data breach have been notified directly. If a representative from San Diego Unified has not spoken with you directly about the issue, we do not have any evidence your data was altered or affected,” they added.
As a precaution, officials recommend that all San Diego Unified staff and students should still contact reporting agencies with the breach information even if they did not receive a notification.