The San Diego Unified School District (SDUSD) suffered a data breach after hackers launched a targeted phishing attack against a staffer to gain access to login credentials and use it to infiltrate the school district’s networks. The hackers compromised the personal information of over 500,000 staffers and students. The data compromised in the hack dates as far back as 2008.
SDUSD took to Twitter to acknowledge the breach, adding that it discovered the breach after its IT department and the local police investigated the incident. The breach exposed students and staffers’ personally identifiable information (PII) including names, dates of birth, mailing and home addresses, telephone numbers, social security numbers and/or state student ID numbers.
The hackers were also able to view student enrollment information such as schedule, health data, schools of attendance, transfer information, recorded legal notices, and attendance data.
“The viewing or copying of some personal data was possible or occurred between January 2018 and November 1, 2018. Staff became aware of the issue in October 2018,” SDUSD said in a statement. “The data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals. For that reason, all of those individuals have been notified of the incident. Additionally, some 50 district employees had their log-in credentials compromised as part of the phishing operation. All students and staff who had their information accessed have been alerted by district staff.”
The attackers were also able to access staffers’ health benefits information, savings accounts information, paychecks, tax information and more.
The identity of the attackers still remains unknown. The investigation into the attack is still ongoing. However, all those affected by the breach have been notified by SDUSD. The school district has also advised victims to monitor their financial accounts and freeze their credit cards in case of any suspicious activities.