Hackers hit the San Diego Unified School District’s computer system and obtained access to a file that had detailed personal data on more than 500,000 students going back a decade, authorities said.
The school system, in a security report on its website, said it is alerting those who may have had personal data viewed or stolen. The data potentially includes Social Security numbers, health and discipline information, addresses, and phone numbers, it said.
School police “have identified a subject of the investigation" but did not reveal details on who it was or how many people were involved, the security report said.
“The data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals. For that reason, all of those individuals have been notified of the incident,” the website says. “Additionally, some 50 district employees had their log-in credentials compromised as part of the phishing operation. All students and staff who had their information accessed have been alerted by district staff.”
The breach is believed to have started in January and did not end until it was discovered in October, when school system personnel began investigating multiple phishing emails, according to a letter sent last week to school district families. The phishing emails were attempts to gather log-in information of staff members, it said.
An investigation was launched by the school district’s police force and information technology staff, but the public was not told until now to protect the probe, the system’s website notice said.
"Necessary” steps were taken “to eliminate the threat to your personal data and implement improvements to prevent such unauthorized access from happening again,” the letter said.
Schools have increasingly become targets of hackers and cyber thieves in recent years, with hundreds of incidents reported annually. Concerns about student data privacy have been growing in the era of online education.
This year, the U.S. Education Department warned school systems that give the SAT and ACT tests for purposes other than college admission that they need to do a better job protecting personal information of students who take the tests. And it issued a warning to schools and districts in October 2017 that said:
Schools have long been targets for cyber thieves and criminals. We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records. In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.
These attacks are being actively investigated by the FBI, and it is important to note that none of the threats of violence have thus far been judged to be credible. At least three states have been affected.
In 2015, during the Obama era, the Education Department came under criticism from House Republicans and Democrats about the vulnerability of its information systems to security threats.
Here, from the San Diego school system website, is the personal information that could have been compromised:
Here’s the full letter from the San Diego Unified School District:
Data Breach Letter by on Scribd