A major data breach has been reported by the San Diego School District that has potentially resulted in the theft of the personal information of more than half a million current and former staff and students. The data exposed as a result of the breach date back to the 2008/2009 school year.
The breach was detected following reports from district staff of a spate of phishing emails. The emails were highly believable and fooled users into visiting a web page where they were required to enter their login credentials. Doing so passed the credentials to the attacker.
The attacker succeeded in compromising more than 50 accounts, which allowed access login to the school district’s network which included the district database containing staff and student information.
A wide range of sensitive information was stored in the database including names, birth dates, health data, Social Security numbers, emergency contact details, attendance records, enrollment information, legal notices, payroll information, tax information, dependent identity information, savings and flexible spending account details, salary information, deduction information, and the names of banks, routing numbers, account numbers for direct deposits.
The breach was detected in October 2018 but was determined to date back January 2018. When a data breach is discovered, the first step that is usually taken is to shut down access to all compromised accounts. Doing so would naturally alert the attacker that the breach has been detected.
In this case, the San Diego Unified Police was informed about the breach and the decision was taken to investigate the breach before terminating access. By taking this step, the police department was able to identify an individual who is believed to be behind the attack.
All compromised credentials have now been reset and unauthorized access is no longer possible. Further security controls have now been implemented to prevent similar attacks in the future.
Notifications have now been issued to all affected individuals. Those notifications were delayed to allow the police to investigate the breach without tipping off the attacker.