Ten years worth of data leaked after Sand Diego School District hack

A hack in the San Diego School District leads to the leakage of more than 500K people's data

Investigation of phishing campaign leads to data breach discovery that dated back to the start of 2018.

According to the official investigation, the San Diego Unified School District (SDUSD) is yet another victim of the hacking attempt leading the institution to the loss of various details including personal information about staff members and students. The information that got leaked dates back to 2008 – 2009 school year.^[1] As the official notice reveals,^[2] the data breach was discovered only several months ago.

After the attacker gained access to the database, the stolen credentials have not only been used in phishing campaigns but have also been altered within the system.

The data breach notice states that the investigation has revealed that the leakage was implemented thru phishing:

SDUSD Information Technology staff discovered an unauthorized user was gathering network access log-in information from staff and using that information to log into the district’s network services, including the district student database. This happened through “phishing,” a scam technique where a person creates phony emails that appear to be from a legitimate source and contain harmful links. Unfortunately, this type of scam has become widespread throughout the world.

According to the officials, the attacker had been using unauthorized access to the School's database for a generous amount of time. He or she had been stealing, copying and collecting information about workers, students, and other related members for at least ten months during the year. Although the staff became aware of the incident only in October 2018, the report says that data collection had been going on till November 1st.

The affected data contains personal information about students and staff members

Since this file that got accessed contained information about students that attended the school back in 2008, this data breach includes more than half a million individuals. In addition, the accident includes fifty staff members^[3] who were involved because of the phishing scam.

According to the latest information, the data breach exposed:

• First and last names of selected staff or students;
• Date of birth;
• Mailing and home addresses;
• Telephone numbers;
• Information about student enrollment that includes schedule, discipline incident information, health details, transfers, and legal notices;
• Social security numbers and student ID numbers;
• Student and staff parent, guardian contacts, identifying information^[4];
• Information about health benefits, savings or spending account details;
• Paycheck information, tax details, salary and leave information.

The data breach was discovered because of the phishing email campaign

After gaining access to the staff's credentials, the attacker used these details in phishing tactics that used legitimate-looking emails redirecting users to malicious pages. Here, websites were set to collect victims' logins, passwords, and other information by using social engineering tactics. After staff members reported these suspicious and even funny emails to IT support team, the investigation started.

According to the district, all potential victims have already been warned about the data loss. Additionally, authorities have made needed improvements to prevent similar cases in the future. However, having in mind how popular data breaches have become during recent years,^[5] authorities are expected to take all precautionary measures to prevent such cases in the future.