In October of 2018, the San Diego Unified School District in California — the state’s second-largest school district — became aware of a severe data breach. As of now, the hackers are unknown, but officials are aware that through criminal means, the hackers were able to obtain the full names, addresses, and Social Security numbers of hundreds of thousands of students and staff at the San Diego Unified School District.
What Caused the Data Breach?
Officials investigating the San Diego school district data breach know that the breach was caused by a phishing scam. They are unaware of exactly when or how the phishing scam occurred, but in some way, hackers were able to obtain access to internal programs and systems in the school district (using a legitimate student or teacher’s login), and from there, they accessed and downloaded the personal information of over 500,000 students and staff members.
What Is a Phishing Attack?
A phishing attack or phishing scam is an illegally engineered attack that aims to obtain personal user data using fooling the target. A hacker will usually find out an account that a target or user group has.
For example, Hacker A might know that their target (an innocent civilian) has an account with Happy Bank in Smithsville. Hacker A will then create an email that looks almost exactly like a real email that would be sent out from Happy Bank. The email will be directed to the name of the target and say something like, “Hi, you need to update your account with Happy Bank. Please login using the following link.”
If the target decides to follow through with the email, they will likely click on the link provided, which will take them to a site that looks almost like the real site of Happy Bank. They will log in using their personal user data (email address or username and password), and probably after that, they will encounter some sort of error message.
By this time, the hackers will already have the user data or personal login information they need from the target. This user data is generally not the endgame for hackers, however.
This user data will merely be used by the hackers to access portals of a larger institution. Although some hackers may use personal login information for a bank, for example, only to steal funds from that person’s bank accounts, other hackers will take things to the next level and attempt to gain broader access and more personal and financial information. Sometimes, these tactics help hackers steal money directly; other times, hackers hold information ransom, extort cash with it, or blackmail individuals or companies by leverage things they know about them.
And remember that the Happy Bank example is just one example of a phishing email scam. Phishing emails and scams can come in many forms, and there are also phishing phone calls that can trip up many people and cause them to divulge personal and financial information willingly.
When Did the Security Breach Happen?
Unfortunately, as of now, the school district does not know exactly when the breach happened. Spokespeople for the school district say that the hack could have occurred anywhere between January 2001 and November 2018 (although the school district did not become fully aware of the breach until October 2018).
This is often the case with phishing attacks. Hackers first need to obtain access to a sensitive information system. To do this, they need login emails and passwords, and phishing emails are the ideal way to achieve this information.
What Information Were the Hackers Able to Obtain?
The San Diego Unified School District is the second largest school district in the state of California and currently serves over 121,000 students.
In this data breach, hackers were able to obtain a large amount of personal information from hundreds of thousands of students in the San Diego Unified School District. Select staff members were affected by the security breach as well, and of those affected, some were even students and staff going back to the 2008-2009 school year. Approximately 50 district employees had their login information taken or compromised.
According to officials, here is some of the additional information that was taken by hackers:
- Staff and full student names, Social Security numbers, addresses, email addresses, personal information, and ID numbers
- Emergency contact information from students and faculty, including full names, addresses, phone numbers, and email addresses, and employment information
- Benefits information for staff members
- Compensation and payroll information for staff members, including deduction and tax information, financial institution information (account numbers and routing numbers), and salary and paycheck information
- Enrollment information about students, including their schedules, any legal notices, and transfer data on file, records of attendance, and health data
- State ID numbers from staff and students
All of the staff members, district employees, and students who were affected by this data breach where notified. Accounts were reset, and cyber-security measures are being taken to prevent any additional breaches of data at the San Diego Unified School District.
How Can You Protect Your Business From Phishing Scams?
Phishing scams are the most notable (and unfortunately, the most effective) modern-day swindle in existence. Whether you own a business, manage or run an organization, or simply want to protect yourself and your family members from hackers, it is essential to learn about phishing emails and how to prevent them.
According to the VP of product management and strategy at Tripwire, Tim Erlin, “The best way to counter this technique … is to have complete and comprehensive logs from all systems.”
It is also vital that everyone in your business knows about phishing emails and how to spot them. Never click on emails or links that look suspicious or slightly “off.” If you are asked to go directly to a website to login via a link in an email, avoid doing so, and instead go directly to the website on your own to log in. Check your messages there for whatever was referenced in the email, or give the institution a call directly to inquire about the email.
Finally, if you own a business or run an organization, always employ the professional services of a high-end IT services provider who specializes in cybersecurity. They will put into place some strong security measures that will help you prevent any sort of security breach, including phishing scam breaches.