Hacker Steals Ten Years Worth of Data From San Diego School District

A hacker has stolen the personal details of over 500,000 San Diego Unified School District staff and students, the district revealed in a breach notice posted on its website Friday. From a report: The breach occurred because the attacker gained access to staff credentials via a tactic known as phishing -- sending authentic-looking emails that redirect users to fake login pages were attackers collect login credentials. The attack didn't go unnoticed. Some staff reported the funny-looking emails to IT staff, who investigated and eventually discovered the breach in October this year. District officials said the hacker had access to its network between January 2018 and November 1, 2018, but that he stole student and staff data going back to the 2008-2009 school year.

Re:What is of real value?

[jwhyche]

Names, Addresses, Social Security Numbers, phone numbers, etc etc etc. Any of this information is useful to identity thieves. It really doesn't mater how old it is as long as it can be used to link someone to something at some time. Some things like social security numbers and names never change. Things like past addresses and phone numbers can be used to link someones identity over time.

I'm kind of surprised a school hasn't been hit yet. I would imagine compared to banks and credit unions they would be soft targets security wise.

Re:Only citizens required to provide documentation

[bws111]

Uh, no. Those are the requirements for the initial issuance of a 'Real ID' approved license. If you don't want to present all that stuff you get a regular drivers license, which will not be accepted for ID for domestic flights, etc.

There is real value

[Pollux]

I was informed by a security expert at a technology convention that personal data (Name, BD, SSN) of children are some of the most valuable data sought after on the dark web. When adults have their security credentials stolen, they discover the theft rather quickly, and any accounts created with the stolen data are shut down in a matter of weeks, giving the stolen credentials little potential value. But children do not check bank account information, or credit card balances, or credit scores until they become adults. Hackers can use that information to bankroll illegal financial activity for years.

Someone enrolled now in preschool may discover 15 years later when they fill out their FAFSA that they owe hundreds of thousands of dollars in unpaid credit card balances and financial loans. San Diego School District will be liable for decades to come.

Re:What is of real value?

[Jason+Levine]

Don't underestimate how little companies might check information before opening a line of credit. When my identity was stolen, the thieves opened a credit card in my name. They had the name, address, SSN, and date of birth right, but the mother's maiden name wasn't even close. This is billed as a "security question," but failing this didn't stop Capital One from opening a card in my name for the identity thieves.

In my case, I found out about it due to a fluke. The thieves paid for rush delivery of the card and THEN changed the address to their own. The rush delivery processed first and the card came to me. Had that processing switched, they would have gotten the card, racked up a ton of debt in my name, and I would have only found out about it when the collections agencies banged down my door telling me to repay what "I" charged.

For the credit card company, dealing with this was as simple as writing it off as fraud and closing the account. For me, it meant dealing with the fallout and freezing my credit permanently (only thawing it when I want to open a new account). Credit Card companies have almost zero incentive to prevent identity theft.

Re:Surprising

[Scarletdown]

Is it PENCIL again?

Re:What is of real value?

[jwhyche]

Fairly static? They do not change. They are static, statistically speaking..

Actually a social security number can be changed. For all intents and purposes it requires a act of god but it can be done. I don't know all the instances where it can be done but I have heard of a new one being issued due to a massive case of identity fraud.