An attacker sent spear-phishing to SDUSD personnel with the intent of trick them into revealing credentials to access the district’s network services.
The attacker accessed personal information of student and staff, including names, dates of birth, mailing and home addresses, telephone numbers, social security numbers and/or state student ID numbers.
The hacker also accessed schedule, health data, schools of attendance, transfer information, recorded legal notices, and attendance data.
Exposed info include data about the students’ parents or guardians, emergency contacts of the district’s employees and staff benefits information (health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information),
Both students and employees had Social Security numbers exposed, the hacker also accessed for some staff paychecks, salary
The district discovered the data breach in October, but did not immediately alert affected people because “it was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities.” The breach is believed to date back to January 2018, this means that the hacker accessed the information for 12 months.
The investigation is still ongoing and affected people are being notified via email, according to the SDUSD the law enforcement identified a subject of the investigation and blocked all stolen credentials.
In response to the incident, the staff members whose accounts were compromised had their passwords reset. SDUSD announced the implementation of extra security measures to avoid such kind of incident in the future.
(SecurityAffairs – SDUSD , data breach)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.