Cyber Incident Victim: San Diego Unified School District
Date:
Jan 2018
Location:
United States of America
Summary
The San Diego Unified School District experienced a data breach stemming from a phishing attack that compromised personal information of over 500,000 students, staff, and parents. Unauthorized actors accessed network credentials from approximately 50 employees, enabling infiltration of systems containing sensitive data including names, Social Security numbers, birthdates, contact details, payroll records, banking information, tax documents, and health benefits enrollment data. District personnel detected the intrusion, reset compromised credentials, and implemented enhanced security measures. Notification to affected individuals was deliberately delayed to avoid alerting perpetrators during the forensic investigation, which identified a suspect. The breach exposed records spanning a decade, with unauthorized network access occurring over several months prior to discovery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The San Diego Unified School District (SDUSD), California's second-largest school system, discovered in October 2018 that unauthorized actors had compromised personally identifiable information (PII) of over 500,000 students, staff members, and parents. The breach originated from a phishing campaign potentially active since January 2018, which successfully harvested network login credentials from approximately 50 district employees. Attackers used these stolen credentials to gain unauthorized access to SDUSD's network services, including its central student database containing records dating back to 2008. Exposed student and parent/guardian data included full names, Social Security numbers, dates of birth, home addresses, and phone numbers. Compromised staff information extended to payroll records showing paycheck details, tax documents, direct deposit banking information (financial institution names, routing numbers, and account numbers), salary figures, leave balances, health benefit enrollment forms, beneficiary identities, dependent information, and flexible spending account details. The district's technology personnel detected the intrusion through unauthorized account activity monitoring, triggering an immediate internal investigation.
SDUSD's response included forcibly resetting compromised staff credentials upon discovery to terminate ongoing unauthorized access. The district coordinated a forensic investigation through its dedicated police force and Information Technology department, which identified at least one subject allegedly responsible for the attack. Affected individuals received breach notification emails from district staff, though the public disclosure occurred more than two months post-discovery on December 21, 2018, via the district website's "Data Safety" page. District officials justified the notification delay as necessary to avoid alerting attackers during the active investigation. While the forensic examination remained ongoing at the time of disclosure, SDUSD implemented unspecified additional network security precautions to prevent recurrence. The breach impacted current and former students and employees due to the decade-long data retention period, exposing financial and identity records that could facilitate fraud or identity theft against minors and adults alike. No evidence suggested public release or misuse of the data at the disclosure date, though the investigation continued to assess full attack vectors and potential secondary data exfiltration.