A phishing scam targeting Carmel Unified School District in Monterey County, California, exposed documents containing sensitive employee information, the district announced last week.
Hackers obtained login credentials to several employee email accounts, according to CUSD, one of which stored employee Social Security numbers, their spouses’ and dependents’ Social security numbers, employee marriage certificates, employee dependents’ birth certificates and doctor’s notes, some containing medical information.
Initial phishing emails were sent in early January but the subsequent data breach was not discovered until March 5, according to CUSD’s breach notice. District employees were notified on March 8 and a copy of the notice was also filed with the California Attorney General’s Office.
The District says it has no way to determine whether any particular information within the account was accessed, but has recommended that employees enable two‐step authentication for their Gmail accounts and change passwords of other district accounts.
As required by California Data Breach Notification Law, CUSD is also offering employees one year of identity theft protection and credit monitoring services at no charge.
Jessica Hull, a spokesperson for Monterey County Office of Education, which serves CUSD, told EdScoop that the phishing email was not isolated to the one district.
“This was a widespread attack,” Hull said. “Emails were received by the County Office of Education and several districts within the county.” However, she said that no other county school districts have reported data breaches.
According to Hull, the phishing email contained a link to a fake login screen that stole unsuspecting user’s login credentials once entered, giving the hacker access to those accounts.
CUSD said it is working closely with the Monterey County Office of Education to improve data security and has begun an audit of its practices of document transfer, email storage, and encryption.
Computer security training is also being closely looked into, the district said.
“We are also actively educating our users to prevent them from falling victim to phishing and continue to improve our security through implementing recommendations from the Multi-State Information Sharing and Analysis Center,” said Hull.