An attacker sent spear-phishing to SDUSD personnel with the intent of trick them into revealing credentials to access the district’s network services.
The attacker accessed personal information of student and staff, including names, dates of birth, mailing and home addresses, telephone numbers, social security numbers and/or state student ID numbers.
The hacker also accessed schedule, health data, schools of attendance, transfer information, recorded legal notices, and attendance data.
Exposed info include data about the students’ parents or guardians, emergency contacts of the district’s employees and staff benefits information (health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information),
Both students and employees had Social Security numbers exposed, the hacker also accessed for some staff paychecks, salary
The district discovered the data breach in October, but did not immediately alert affected people because “it was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities.” The breach is believed to date back to January 2018, this means that the hacker accessed the information for 12 months.
The investigation is still ongoing and affected people are being notified via email, according to the SDUSD the law enforcement identified a subject of the investigation and blocked all stolen credentials.
In response to the incident, the staff members whose accounts were compromised had their passwords reset. SDUSD announced the implementation of extra security measures to avoid such kind of incident in the future.
(SecurityAffairs – SDUSD , data breach)