This notice is in regard to an incident at San Diego Unified School District involving the security of personal data on the district’s information systems. We sincerely regret that, after completing a thorough forensics investigation, we have reason to believe personal data may have been compromised through the access or use by an unauthorized individual. The unauthorized access resulted in the potential viewing of the personal data of some students and staff members. The personal data potentially included social security numbers and other personal identifying information.

All persons potentially affected by this breach have been sent an email letter from the San Diego Unified School District.

The San Diego Unified School District has taken the steps necessary to eliminate the threat to your personal data and implement improvements to prevent such unauthorized access from happening again. We are sending this letter to provide you more information about the incident and what you can do to remain vigilant and protect your information.

How did this data breach happen?

SDUSD Information Technology staff discovered an unauthorized user was gathering network access log-in information from staff and using that information to log into the district’s network services, including the district student database. This happened through “phishing,” a scam technique where a person creates phony emails that appear to be from a legitimate source and contain harmful links. Unfortunately, this type of scam has become widespread throughout the world.

When did it happen?

The viewing or copying of some personal data was possible or occurred between January 2018 and November 1, 2018. Staff became aware of the issue in October 2018.

Why are people being notified now?

It was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities. We are notifying any potential victims now because that phase of the investigation is over. However, our full investigation continues.

How was it uncovered?

The incident was uncovered by district Information Technology professionals investigating multiple reports of phishing emails, which were used to gather log-in information of staff members throughout the district.

Who conducted the investigation?

San Diego Unified Police and Information Technology staff.

Who was responsible for this breach?

School police have identified a subject of the investigation and blocked all stolen credentials. We cannot say more due to the ongoing nature of the investigation.

What data was affected?

The accessed systems contained the following personal information:

 

  • Student and selected staff personal identifying information, to include: first and last name, date of birth, mailing address, home address, telephone number;

  • Student enrollment information, to include: schedule, discipline incident information, health information, school(s) of attendance, transfer information, legal notices on file, attendance data;

  • Student and selected staff Social Security Number and/or State Student ID Number

  • Student and staff parent, guardian and emergency contact personal identifying information, to include: first and last name, phone numbers, address (if provided), email address, employer information;

  • Selected staff benefits information, to include: health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information;

  • Selected staff payroll and compensation information, to include: viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information;

How many people were impacted?

The data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals. For that reason, all of those individuals have been notified of the incident. Additionally, some 50 district employees had their log-in credentials compromised as part of the phishing operation. All students and staff who had their information accessed have been alerted by district staff.

Has the problem been resolved?

San Diego Unified Police and Information Technology staff have identified the methodology used to breach district data and notified all victims. All staff members whose accounts were compromised had the security on their accounts reset immediately upon discovery. Additional data security measures have been implemented to help prevent these types of occurrences from happening in the future.

How do I know if my family information was affected?

All individuals affected by the data breach have been notified directly. If a representative from San Diego Unified has not spoken with you directly about the issue, we do not have any evidence your data was altered or affected. Regardless of whether or not you received a notification, we still recommend that you contact credit reporting agencies to notify them of the breach of your information.

What can I do to make sure I’m protected?

You can place an identity theft/fraud alert, get credit freeze information for your state, or order a free credit report through any of the three credit reporting agencies. More information can be found here.