A phishing attack against California’s San Diego Unified School District has led to hackers scooping up Social Security numbers and addresses of more than 500,000 students and staff.
The district became aware of the breach Oct. 2018. The actual breach occurred between January 2001 and November 2018, a spokesperson said. The district reported that it was first alerted to “multiple reports of phishing emails,” which were used to gather log-in information of staff members throughout the district.
Hackers then used that log-in data to access the social security numbers and first and last names of student and staff, as well as their date of birth, mailing address, home address and phone number.
“The data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals,” according to a notification on the San Diego Unified School District’s website on Friday. “For that reason, all of those individuals have been notified of the incident. Additionally, some 50 district employees had their log-in credentials compromised as part of the phishing operation. All students and staff who had their information accessed have been alerted by district staff.”
The San Diego Unified School District serves more than 121,000 students and is the second largest school district in California.
Other accessed information included:
-Student enrollment information like schedule, discipline incident information, health information, attendance records, transfer information, legal notices on file, and attendance data
-Student and selected staff State Student ID Number
-Student and staff parent, guardian and emergency contact personal identifying information (including first and last name, phone numbers, address, email address, employer information)
-Selected staff benefits information
-Selected staff payroll and compensation information (including viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information)
The district said that police have identified “a subject of the investigation” and blocked all stolen credentials; however, they could not comment more due to the ongoing nature of the investigation. Meanwhile, staff members whose accounts were compromised had the security on their accounts reset.
The San Diego Unified School District did not immediately respond to a request for comment from Threatpost.
Earlier this month, hackers launched a phishing attack against the Cape Cod Community College, and made away with at least $800,000 from the school’s bank accounts, according to The Boston Globe.
Phishing has continued to be an easy – but effective – tactic for hackers to access credentials and use them to log in to systems. In fact, the technique has increased in popularity during the holiday season, according to researchers at Proofpoint.
The best way to counter this technique, according to Tim Erlin, vice president of product management and strategy at Tripwire, is to have complete and comprehensive logs from all systems.
“Phishing remains a major avenue for initial compromise,” he said in an email. “When planning security controls, it’s important to consider not only what an attacker might do, but also what an attacker with authorized access might do.”