A hacker breached into a school network of San Diego Unified School District and stole the data of almost 500,000 staff and students, which has caused the breach of data protection act, because of the cyber attack the hacker gained the credentials of authorised staff member via phishing (where fake emails are sent with the fake login page) revealed by the district by posting a breach notice on its website.
Those emails are funny looking and reported by some of the staff members to the IT department, they further investigated and discovered that the breach occurred in October 2018. The hack got unnoticed, and the attacker has access to the network from January 2018 to November 2018, and interestingly he stole the data from the school year 2008-2009.
In an email containing the breach notice sent to the victims, officials said that they allowed the hacker to carry on because of the sake of investigations.
“It was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities,” the district said in its letter.
“We are notifying any potential victims now because that phase of the investigation is over. However, our full investigation continues.”
And, their efforts aren’t wasted. San Diego Unified Police and the IT department identified the cyber attack and developed a plan to reset all the affected accounts to get secure of any future breach. It is observed that the hacker has access to almost 50 employees’ accounts.
What type of personally identifiable information was involved in the period of 11 months of unauthorised access?
- The information includes first and last name, DOB, telephone number, mailing address and email address.
- Some of the sensitive information which includes health information, attendance data, legal notices and transfer information.
- Social security numbers.
- Guardians and emergency contact numbers.
- Staff benefits information with savings and spending account information.
- Staff payroll and compensation information which includes paychecks, tax information, account numbers with salary and leave information.
In a Statement, District Officials said: “Regardless of whether or not you received a notification, we still recommend that you contact credit reporting agencies to notify them of the breach of your information,”