A hacker has stolen the personal information of more than 500,000 current and former students and staff in the San Diego Unified School District, according to a report released by the school on Friday.
Though the breach was first identified by the district’s IT staff in October, the hacker apparently accessed the personally identifiable information through a phishing email directed at a district employee sometime between January and November.
Phishing attempts are the most common method used by hackers in K-12 districts — even if a district has strong security measures, human error, in the case of clicking on malicious links in phishing emails, can be incredibly destructive.
The hacker was able to view information on more than 500,000 students and 50 staff, and in most cases could view the first and last names, phone numbers, addresses, health information and social security numbers of the compromised accounts. Payroll information for certain staff was also compromised in the hack, according to the district.
The district also says it’s notified everyone that had information that was compromised, which includes students dating back to the 2008-2009 school year.
While district IT staff were aware of the hack in October, they weren’t able to immediately inform the victims because they did not want to tip off the hacker to their investigative efforts. With help from San Diego Unified school police, the district says it identified a suspect and blocked the stolen credentials in November, but the investigation is still ongoing. The methodology — collecting login credentials through a phishing email, then using those credentials to access personal information — is clear, the district says, but it has taken additional steps to secure the data.
District officials did not respond to a request for comment.