The San Diego Unified School District has announced that a phishing attack on its network has affected more than half a million of its staff and current and former students.
The San Diego Unified School district serves more than 120,000 current students and employs approximately 16,500 staff members. It is the second largest school district in California, following the Los Angeles School District.
The organisation became aware of the breach in October 2018. Officials decided not to immediately act upon this discovery, so that the unauthorised individual would not know that they had been discovered. An investigation was launched to discern the nature of the attack, its scope, and the potential damage that it had caused. It was only when this initial stage of the investigation had been completed that security services stepped in to remove the unauthorised individual and restore the integrity of the network.
The investigation into the phishing campaign, which was conducted in partnership with the San Diego Unified Police, revealed that the hacker had first gained access to the network in January 2018, and access was terminated in November 2018. Officials from the Unified School District reported that it was first alerted to “multiple reports of phishing emails” by its staff. These emails were used by the hacker as a means of harvesting the login credentials of staff members throughout the district. All accounts that were compromised in the attack have now been reset and unauthorized access to staff and student data is no longer possible.
The hacker had crafted phishing emails that were excellent spoofs of legitimate emails. As more and more people are becoming increasingly aware of “traditional” phishing attacks (emails with poor spelling and grammar and are clearly fake), hackers have become adept at creating sophisticated phishing campaigns. At the centre of these campaigns are emails which are near-perfect copies of emails from legitimate organisations or individuals. The receiver is fooled into clicking an embedded link, or downloading a file which contains malware. They are then directed to a website-also created by the hacker-on which they are invited to input their login credentials. Often the URL of these sites are the only way to identify them as fake, but only the most savvy of computer users will check the domain. The login credentials are then stolen by the hacker, and used for nefarious purposes.
The breach was one of the most severe phishing attacks reported to date. The investigation revealed more than 50 email accounts of district employees were compromised in the attack over the space of 11 months.
“The data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals,” according to a notification on the San Diego Unified School District’s website on Friday. “For that reason, all of those individuals have been notified of the incident. Additionally, some 50 district employees had their log-in credentials compromised as part of the phishing operation. All students and staff who had their information accessed have been alerted by district staff.”
Investigators determined that the protected health information (PHI) compromised in the breach included, telephone numbers, mailing addresses, home addresses, dates of birth, Social Security numbers, state student ID numbers, schedule information, school attendance information, transfer information, emergency contacts, legal notices, and health information.
Employees of the San Diego Unified School District may have also had other information such paychecks and pay advice, staff health benefits enrollment information, beneficiary identity information, savings and flexible spending account data, dependents’ identities, tax information, direct deposit bank names, routing numbers, and account numbers, and payroll and compensation data compromised. The data compromised in the attack dates back to the 2008-2009 school year.
Although investigators know that the hacker could have accessed the aforementioned information, they have yet to procure evidence that the data was copied or downloaded. There are no reports as of yet that any of the data has been misused.
In accordance with HIPAA’s Breach Notification Rule, all individuals affected by the breach are being sent breach notification letters. The wider investigation into the attack is continuing. The San Diego Unified School District has announced that it has implemented a more robust security framework to ensure future breaches of this nature are prevented.