San Diego School Hacked: Cyber Breach Could Compromise 500K People's Social Security Numbers, Payroll, More
On the last day before Winter Break, San Diego Unified School District officials sent home students, teachers, staffers and anyone else affiliated with the school -- with a dismaying message: their technicians and police discovered a gaping security breach that could affect as many as 500,000 people with their coveted social security numbers, birth dates and also payroll, benefits.
Besides the vacuuming up of peoples' stored information, the district also let those potentially victimized by the breach that the same hacker or hackers had the ability to "alter data within those systems" tracking back a decade.
The breach was first discovered more than two months ago.
An investigation by our police and IT departments discovered a data breach in which an unauthorized user gained access to a district database. All persons who may have been affected are being notified via email now.
— San Diego Unified (@sdschools) December 21, 2018
More information can be found online: https://t.co/Ynd2Fk3ibH
In a mea culpa, austerely titled "Data Safety," the district officials attempted to tamp down the damage and make sense of what happened when their security measures and peoples' privileged data were inexcusably "compromised."
"We sincerely regret that, after completing a thorough forensic investigation, we have reason to believe personal data may have been compromised through the access or use by an unauthorized individual," reads the admission by the SAUSD. "The unauthorized access resulted in the potential viewing of the personal data of some students and staff members.
"The personal data potentially included social security numbers and other personal identifying information."
The memo notes that the unauthorized user(s) was discovered in October by the district's Information Technology department "gathering network access log-in information from staff and using that information to log into the district's network services, including the district student database."
The district claims that it has "taken steps to eliminate the threat: to peoples' data" and made stringent "improvements" in order "to prevent such unauthorized access from happening again."
The technique of phishing involves the use of a user posing with a fake email account and sending messages to appear as if it's from a legitimate person, but they actually contain booby-trapped links.
When pressed, a user's data can be exploited.
While saying sorry for the lapse in security, the school district also seems to be considering themselves just another agency that's been targeted and duped by crafty and relentless black hats in a "phishing operation."
"Unfortunately, this type of scam has become widespread throughout the world," the memo reads.
But the totality of the "viewing or copying of personal data" occurring since January and running through November — remains to be seen.
However, it appears that the there may be a culprit in authorities' sights who may be behind the hack.
"School police have identified a subject of the investigation and blocked all stolen credentials," the memo reads. "We cannot say more due to the ongoing nature of the investigation."
To justify the two-month lull in letting folks know about their prized data being usurped, the district claimed they were preserving the sanctity of a criminal investigation.
"It was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities," the district's memo stated. "We are notifying any potential victims now because that phase of the investigation is over. However, our full investigation continues."
To patch the issue, the district has informed its student body and staffers that they "promptly took steps to secure the system and identify the scope of the incident with the help of law enforcement," according to a letter from Executive Director Integrated Technology Toren Allen that was addressed to "San Diego Unified families" titled "Notice of Data Breach."
"We have continued to implement and explore additional security measures, and continue to review and audit our practices to prevent this from happening again. We have also coordinated our investigation and response to the incident with law enforcement to bring the perpetrator(s) of this incident to justice," the letter reads.
In a brief interview with Newsweek, Allen acknowledged that 50 staffers had their credentials exposed and were subsequently updated after they learned about the breach.
He called the phishing scam "difficult" to defend against and noted that while there may have been some measures to fix and even prevent future breaches -- the fact is it's an "evolving process."
Allen couldn't say whether or not the hack into the system actually accomplished the manipulation of peoples' data; citing the fact that those specifics remain "part of the ongoing investigation."
Pressed about waiting until the last day before Winter Break to deliver the news of the breach, Allen said they took time to allow the part of the investigation "to end... before we could equip the details that you have today."
The salutation in the letter he sent out attempts to posit another apology.
"Again, we sincerely regret that this incident has occurred," offering a hotline call.
When Newsweek rang the 24/7 hotline number to call, the recorded voice prompt apologized yet again for "any inconvenience this may have caused you," and directs the caller to go online to get information.
A second attempt successfully reached a San Diego School police officer who expressed that there has been an unusual torrent of phone calls about the cyber breach.
