SAN DIEGO — More than 500,000 students, parents and staff members of San Diego Unified School District may have had their personal information exposed in a data breach earlier this year, district officials announced.
An investigation by our police and IT departments discovered a data breach in which an unauthorized user gained access to a district database. All persons who may have been affected are being notified via email now.
More information can be found online: https://t.co/Ynd2Fk3ibH
— San Diego Unified (@sdschools) December 21, 2018
The breach, which was discovered in October, may have exposed a range of personal information including Social Security numbers, names, birth dates and addresses of students. Student information including schedules, disciplinary records and health details also could have been accessed.
The breach included parent and emergency contact records as well, including names, addresses, phone numbers and employer information. Staff member’s banking details — including routing and account numbers — plus payroll and benefit information were also involved.
Read the full letter notifying families of the data breach here.
San Diego Unified said the information dated back to the 2008-09 school year, encompassing more than 500,000 people. Another 50 district employees had their information compromised.
The breach occurred at some time time between January and November of 2018, officials explained. New security measures were now in place and personal information was no longer under threat, according to SDUSD.
The district was in the process of notifying every person affected Friday. Officials said they waited to alert families until December “to not immediately tip off those responsible that we are aware of their activities.”
San Diego Unified Police and the district’s Information Technology staff said the breach was made through a phishing scheme, in which victims are tricked into revealing confidential information through a deceptive email.
Investigators are still trying to determine who is responsible for the breach.