Cyber Incident Victim: Carmel Unified School District
Date:
Mar 2019
Location:
United States of America
Summary
A phishing attack compromised an employee email account at Carmel Unified School District, exposing sensitive documents containing employees' and their dependents' Social Security numbers, marriage and birth certificates, and medical information from doctors' notes authorizing work absences or returns. The breach involved a limited number of files but potentially impacted personal identifiers and health-related details of staff members and their families.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 13, 2019, Carmel Unified School District experienced a cybersecurity incident involving unauthorized access to an employee's email account through a successful phishing attack. The breach exposed a limited number of documents stored within the compromised account, which contained highly sensitive personal information belonging to employees and their families. Specifically, the compromised records included employee Social Security numbers along with spouses' and dependents' Social Security numbers, creating multi-generational identity theft risks. Additionally, the attacker accessed marriage certificates and dependents' birth certificates, documents typically used for benefits verification. Medical privacy was also impacted through exposure of doctors' notes that excused employees from work or authorized their return, some of which contained sensitive health information. The district confirmed the phishing attack specifically targeted employee credentials rather than constituting a broader W-2 data harvesting operation common in education sector breaches at the time.
Carmel Unified School District responded by issuing formal notifications to affected employees, disclosing both the phishing incident's occurrence and the specific types of exposed documents. The notification emphasized the breadth of compromised personal identifiers across multiple family members rather than just individual employee data. While the district characterized the number of exposed documents as "limited," the combination of Social Security numbers for employees and their relatives, family legal documents, and medical notes created compounded risks for identity fraud and privacy violations. No details regarding detection methods, containment procedures, or forensic findings were included in the public notification. The incident highlighted vulnerabilities in email account protections for documents containing highly sensitive family and health information within educational institution systems.