Last month, San Diego Unified School District announced that unauthorized access to their student database may have compromised the personal data of up to 500,000 students from as far back as 2008 (NBC San Diego).

How did the unauthorized access occur? Through phishing—email impersonation that leads to theft of credentials. Using phony emails, someone was able to fool at least 50 staff members into revealing their login information. The scammer then used this login information to access school databases and download data containing personally identifiable information (PII). Here’s the district’s letter on the matter.

School districts are a lucrative target for PII. After all, they keep records on current and former student and staff. Every year, school districts receive an influx of new students which means new social security numbers, birth dates, health records, etc. Combined with the records maintained for current and former students, it is apparent that districts have quite a stockpile of information. PII was among the top three targets for data breaches studied in Verizon’s 2018 Data Breach Investigation Report.

Notable in this story is that San Diego Unified School District IT staff discovered the unauthorized access through the investigation of reported phishing emails. This is an important point—are you asking your employees to report suspected phish, especially when they impersonate your workplace staff or resources? This requires that users understand what email impersonation looks like. If you think your users would benefit from phishing awareness training, contact us. We can help educate them in a safe environment.

Second, do you have audit capabilities in place to track user access to resources? This could include logs that indicate the account used, timestamp, and some details about the connecting computer such as IP address, OS type, etc. This is especially important for privileged access (AKA access to sensitive information). Having audit logs for privileged access account actions, such as the download of sensitive data, is also helpful when trying to determine the scope of a breach.

Data breaches certainly seem like the new normal. Unfortunately, as this story shows, it’s still easy for scammers to gain access by impersonating workplace people and resources over email to steal login information. If it’s feasible in your organization, consider adding a second login step to accounts or restricting outside access to sensitive resources. Couple these technology solutions with staff training on phishing awareness to build a strong defense against data breaches.