The San Diego Unified School District (SDUSD) – California’s second largest – first discovered in October 2018 that PII of more than a half million students and staff were compromised.
The loss occurred as the result of a phishing attack that may have occurred as early as January 2018. Tripwire first reported the attack on SDUSD, which has more than 121,000 students.
The school district disclosed the attack on Dec. 21 on its website with additional details on the linked “Data Safety” page stated that impacted individuals were given notice via email by district staff, although it didn’t say when notice occurred.
Lost PII dating back to 2008 included student and parent/guardian names, Social Security numbers, date of birth, home addresses and phone numbers. Select staff payroll and compensation information, to include: viewable paychecks and pay invoices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information. Others had absconded their health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information.
According to SDUSD, its tech personnel discovered an unauthorized user was gathering network access log-in information from some 50 staff and using that information to log into the district’s network services, including the district student database. Staff had their log-ins changed, and additional precautions have been taken to prevent future attacks.
San Diego Unified Police and Information Technology conducted a forensic investigation, which is ongoing, and has identified a “subject,” in regard who was responsible for the attack.
As to why affected people are being notified more than two months after the breach was discovered, SDUSD said: “It was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities.”