San Diego school district has disclosed that a data breach had occurred in which personal data of more than 500,000 staff and students were stolen. The breach notice was posted by the district on its website last Friday.
The breach was performed through phishing where authentic looking mails are sent to the target system and redirects the user to fake websites from where the attackers collect the login credentials of the victim. Here the attacker gained access to the staff credentials through phishing.
The attack was noticed when some staff reported some funny looking mails to the IT staff. Upon investigation, the data breach was discovered last October.
According to the District officials, the hacker had access to its network between January 2018 and November 1, 2018, but the attacker has stolen the data of the students and staffs going back to the 2008-2009 school year.
All the affected victims were informed through mail and the district officials said that they allowed the hacker to operate after their discovery on purpose as it was necessary for their investigation. However, full investigation is still ongoing.
District officials said that San Diego Unified Police and its IT staff identified the hacker and reset all compromised accounts to prevent any future access to its network. The hacker gained access to over 50 district employees’ accounts which were used to collect information on both students and staff.
According to the San Diego Unified School District, the following information was taken during the eleven months the hacker had access to its network:
- Student and selected staff personal identifying information including first and last name, date of birth, mailing address, home address, telephone number.
- Student enrollment information including schedule, discipline incident information, health information, school(s) of attendance, transfer information, legal notices on file, attendance data.
- Student and selected staff Social Security Number and/or State Student ID Number
- Student and staff parent, guardian and emergency contact personal identifying information which includes first and last name, phone numbers, address (if provided), email address, employer information.
- Selected staff benefits information which includes health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information.
- Selected staff payroll and compensation information which includes viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information.
The officials have stated that those who haven’t received a notification are also recommended to contact credit reporting agencies to notify them of the breach of your information.