Cyber Incident Victim: Tacoma Public Schools

On Monday afternoon in early August 2020, Tacoma Public Schools experienced a cybersecurity incident involving unauthorized access to its email communication systems. An external email platform contracted by the district—identified as Constant Contact, a service used for distributing e-newsletters—was compromised by attackers. This breach resulted in the automated distribution of 37,600 fraudulent phishing emails to recipients including district families, parents, and broader community members. The malicious emails impersonated official school communications, with deceptive subject lines such as "Pete Andrews sent you a file statement" and prompts urging recipients to "please fill empty lines in your account statement." Embedded file links within the messages posed risks of credential harvesting or malware installation. The scale of the campaign indicated automated exploitation of the platform’s distribution capabilities rather than targeted individual compromises.

District staff detected the anomalous email surge and initiated containment measures within hours of the incident. Officials issued public warnings via social media channels, explicitly advising recipients not to interact with the emails and confirming the communications were fraudulent. The response guidance instructed individuals who had already clicked embedded links to immediately change account passwords and report the messages as spam. Spokesperson Dan Voelpel publicly confirmed Constant Contact’s involvement as the compromised third-party vendor, though the district did not disclose whether the breach stemmed from credential theft, platform vulnerabilities, or other attack vectors. The incident disrupted routine communications with stakeholders and necessitated corrective actions to restore trust in official channels, though no secondary compromises or data exfiltration were confirmed in the immediate aftermath.