After a successful phishing attack that captured over 50 accounts, hackers stole 500,000 records from the San Diego Unified School District, for staff, current students, and past students going all the way back to 2008; including SSNs, home addresses and phone numbers, disciplinary files, health information, emergency contact details, health benefits and payroll info, pay information, financial data for direct deposits.
School district employees reported the wave of phishing emails, but the district opted to deliberately allow the hackers to continue operating in an effort to catch them; the district says it has identified the hacker.
Details are sketchy, but boy this looks bad. It's hard to understand why all but a few employees would be able to access historical student records (for example, staffers who deal with providing transcripts for college applications, or who respond to court orders). It's also not clear how the district decided to allow a criminal to access their systems for 11 months, while stealing 500,000 records — even if they have identified the criminal, have they caught them? And even if they caught them, do they know that the stolen records weren't sold or given away prior to the capture?
Update: I've since learned that while the school district believes the hacker was active for up to 11 months, they only became aware of the incursion a month before they shut down the hacker's access, and allowed the access to continue for the month in the hopes of identified their identity.
I've also learned that only a minority of employees could access the historical student records, and the hacker seems to have compromised one or more of those employees' accounts in order to obtain records on students not presently enrolled in the district.
In my experience, schools are incredibly cavalier about requesting student and visitor data, doing things like scanning driver's licenses and sending them to third party background checking services without being able to provide any information on what will happen to that data.
"It was necessary for our investigation to not immediately tip off those responsible that we were aware of their activities," the district said in its letter. "We are notifying any potential victims now because that phase of the investigation is over. However, our full investigation continues."
Their efforts weren't in vain. District officials said that San Diego Unified Police and its IT staff identified the hacker and reset all compromised accounts to prevent any future access to its network. It is believed the hacker gained access to over 50 district employees' accounts.
The hacker used access to this account to collect information on both students and staff. According to the San Diego Unified School District, the following information was taken during the eleven months the hacker had access to its network:
Hacker steals ten years worth of data from San Diego school district [Catalin Cimpanu/Zdnet]