Hacker Exploits San Diego School Network, Steals Personal Data On 500K Students And Staff

In what could pass for a scene in a movie, a hacker managed to breach a school district's database and steal 10 years worth of personal data belonging to half a million students and staff. Only this wasn't a movie, it happened in real life. Had it been a movie, the hacker would likely have been revealed to be a student or former employee.

It's not clear who the actual culprit is, though, only that it was a pretty serious security breach. The mystery hacker infiltrated the San Diego Unified School District, which contained a wealth of personal data—first and last names, dates of birth, mailing addresses, home addresses, telephone numbers, and in some cases, social security numbers and/or state student ID numbers. The hacker also had access to things like staff benefits information and a wealth of other data. Here's a full list...
  • Student and selected staff personal identifying information, to include: first and last name, date of birth, mailing address, home address, telephone number;
  • Student enrollment information, to include: schedule, discipline incident information, health information, school(s) of attendance, transfer information, legal notices on file, attendance data;
  • Student and selected staff Social Security Number and/or State Student ID Number
  • Student and staff parent, guardian and emergency contact personal identifying information, to include: first and last name, phone numbers, address (if provided), email address, employer information;
  • Selected staff benefits information, to include: health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information;
  • Selected staff payroll and compensation information, to include: viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information;
"We sincerely regret that, after completing a thorough forensics investigation, we have reason to believe personal data may have been compromised through the access or use by an unauthorized individual. The unauthorized access resulted in the potential viewing of the personal data of some students and staff members. The personal data potentially included social security numbers and other personal identifying information," SDUSD said.

The school district's IT staff said the culprit used a phishing scam to obtain login credentials from staff members. Staff became aware of the issue in October 2018, though the theft of data could have occurred from as far back as January and all the way through November 1. SDUSD said it held off on notifying potentially affected users until now because it didn't want to tip off the person responsible during its investigation.

"School police have identified a subject of the investigation and blocked all stolen credentials. We cannot say more due to the ongoing nature of the investigation," SDUSD said.

The school district is in the process of notifying anyone it thinks might be affected by this breach.