The San Diego School District has announced that a phishing attack resulted in the exposure of the private information, such as health data, of over 500,000 students and staff.
The school district discovered the phishing attack in October 2018; but, the breach investigation revealed that the hacker had access to its network for almost a year. The attacker first acquired network access in January 2018, and access remained possible until November 2018.
The school district investigated the breach before network access was terminated so as not to alert the attacker to the investigation. Assisted by the San Diego Unified Police, the identity of the hacker behind the attack was established. All affected accounts for staff and student data have now had passwords reset and are no longer accessible by unauthorized third parties.
According to a statement from the San Diego School District, the phishing emails used in the attacks were very realistic. They fooled users into visiting a webpage where they provided their account details, which were collected by the attacker.
The breach was among the most serious phishing attacks reported to date. The investigation showed that over 50 email accounts of district staff were compromised in 11 months.
The types of data that were exposed included names, phone numbers, mailing and home addresses, birth dates, state student ID numbers, schedule details, school attendance data, transfer data, Social Security numbers, emergency contact information, legal notices, and health data. Compromised staff data included paychecks and pay advice, staff health benefits enrollment data, beneficiary identity data, savings and flexible spending account information, dependents’ identities, tax data, direct deposit bank names, routing numbers, and account numbers, and payroll and compensation information. The information compromised in the attack goes back to the school year 2008-2009.
Although data access was possible, it is uncertain if the hacker downloaded staff and student information. The school district has now implemented further security controls to prevent similar breaches in the future.