Phishing scam exposes personal, medical information at central California school districts

A phishing scam targeting Carmel Unified School District in Monterey County, California, exposed documents containing sensitive employee information, the district announced last week.

Hackers obtained login credentials to several employee email accounts, according to CUSD, one of which stored employee Social Security numbers, their spouses’ and dependents’ Social security numbers, employee marriage certificates, employee dependents’ birth certificates and doctor’s notes, some containing medical information.

Initial phishing emails were sent in early January at which time administrators became aware that district records had potentially been exposed and notified employees of the breach, said Paul Behan, CUSD’s chief technology officer.

“It was a lengthy and thorough process to go through all the records to see who was potentially affected and exactly which information may have been involved,” he told EdScoop in an email. Notices with additional information were sent in March to affected employees.

The District says it has no way to determine whether any particular information within the account was accessed, but has recommended that employees enable two‐step authentication for their Gmail accounts and change passwords of other district accounts.

As required by California Data Breach Notification Law, CUSD is also offering employees one year of identity theft protection and credit monitoring services at no charge.

Jessica Hull, a spokesperson for Monterey County Office of Education, which serves CUSD, told EdScoop that the phishing email was not isolated to the one district.

“This was a widespread attack,” Hull said. “Emails were received by the County Office of Education and several districts within the county.” However, she said that no other county school districts have reported data breaches.

According to Hull, the phishing email contained a link to a fake login screen that stole unsuspecting user’s login credentials once entered, giving the hacker access to those accounts.

CUSD said it is working closely with the Monterey County Office of Education to improve data security and has begun an audit of its practices of document transfer, email storage, and encryption.

Computer security training is also being closely looked into, the district said.

“We are also actively educating our users to prevent them from falling victim to phishing and continue to improve our security through implementing recommendations from the Multi-State Information Sharing and Analysis Center,” said Hull.

Editor’s note: This story was updated on March 20, 2019 to clarify that the district contacted its employees immediately after the breach was discovered.