Cyber Incident Victim: Morgan Hill Unified School District

The Morgan Hill Unified School District in California experienced a data breach involving unauthorized access to an employee’s email account between September 11 and October 11, 2022. The district’s investigation confirmed unauthorized connections to the account during this period but could not identify which specific emails or attachments were viewed or accessed by the threat actor. The breach spanned 31 days, though the district did not disclose when the intrusion was initially detected or the methods used to identify the compromise. No technical details about the attacker’s entry vector—such as phishing, credential theft, or system vulnerabilities—were revealed in the district’s notification to affected parties or in public disclosures.

On January 27, 2023, the district submitted a breach notification to the California Attorney General’s Office, though it did not publish an advisory on its website. The notification did not specify whether compromised data involved student records, employee information, or both, nor did it describe the nature of the exposed data (e.g., names, addresses, financial details). Affected individuals were offered a one-year subscription to a credit monitoring service as a remedial measure. The district did not disclose the total number of impacted individuals, though it served over 8,000 students and employed more than 320 full-time teachers during the 2021–2022 academic year. No ransomware deployment, data destruction, or financial demands were mentioned in available reports. The investigation’s inability to determine the scope of accessed data left residual uncertainties about potential misuse risks.