Personal info of 500,000 school district staffers, students stolen by hacker

December 26, 2018

By

This year has already seen a number of high-profile hacks and data breaches, involving everything from Panera to Facebook. And it’s apparently not over just yet.In so many of these 2018 incidents, hundreds of thousands or even millions of records have been compromised. Just take a look at the recent Marriott-Starwood hotel chain breach that impacted about 500 million guests.And here we go again. This time, a school district was hacked and the stolen information involves half a million students and staff members.

A yearlong hack

Just before Christmas break began last week, the San Diego Unified School District in California posted information about a breach to its website. According to ZDNet, a hacker stole the personal details of over 500,000 students and staffers from the past 10 years.This incident involved phishing, which involves a hacker sending emails that look authentic but instead redirect recipients to fake login pages. Once a user tries to log into the fake pages, the hacker can steal their credentials. The emails raised a red flag for some staff members in October, who reported them to the school district’s IT staff.Bonus: Clever new phishing attack is hitting Office 365 accountsSchool officials determined that someone had access to their network since the beginning of 2018, but the stolen data actually goes all the way back to the 2008-2009 school year. They allowed the hacker to continue, while San Diego police and IT staff worked to find the suspect. Their plan worked and the culprit was identified.

The stolen information

Even though the hack had ended, officials believe the suspect had previously gained access to over 50 district employee accounts. Those accounts have been reset, but unfortunately, the damage was already done. The school district reports the following information was compromised:

• Student and selected staff personal identifying information, including first and last name, date of birth, mailing address, home address, telephone number;
• Student enrollment information, including schedule, discipline incident information, health information, school(s) of attendance, transfer information, legal notices on file, attendance data;
• Student and selected staff Social Security number and/or State Student ID Number
• Student and staff parent, guardian and emergency contact personal identifying information, including first and last name, phone numbers, address (if provided), email address, employer information;
• Selected staff benefits information, including health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information;
• Selected staff payroll and compensation information, including viewable paychecks and pay advances, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information

The hacker could not only access but also alter data. The district is not sure if the data was actually viewed or copied. Read the full release here

What to do if you’re the victim of a data breach

If your information is out there because of this or any other data breach, be careful. Other scammers might try to piggyback on a breach like this and call you, pretending to be from the affected organization so they can steal additional info.It’s also a good idea to check up on your other online accounts and passwords. If you use the same password for multiple accounts, we can show you how to replace them with unique alternatives or make use of a password manager. Click or tap here to find out moreBonus: List ranks worst passwords you really need to stop using right nowCheck your banks statements as well, and look for any suspicious activity. In extreme cases, you can also put a credit freeze on your accounts. Click here to find out how