Redefining Data Breach Investigations

That another data breach was announced recently isn’t necessarily a breaking news story anymore. However the breach that happened between January and November of 2018 in the San Diego Unified School District was unique in one significant way. It wasn’t that the hacker got ahold of a lot of personally identifiable information (PII) before being stopped, but it was how the investigation into the intrusion was handled which may actually have an impact on how data breaches are handled in the future. Although it has a somewhat positive outcome, was it really the right thing to do?

First, let’s get to the facts we know:

• 500,000 students and staff were affected, dating back to the 2008-2009 school year.

• The intruder lurked around in the school district’s system from January to November 2018.

• The intrusion was discovered in October 2018.

• The hacker is thought to have gained access to over 50 district employee accounts.

• Information accessed was extensive and included, student and staff names, phone numbers, birth dates, social security numbers, physical addresses, access to staff health benefits information, beneficiary information, dependents’ identities, savings or flex spending account information, and some payroll and compensation information.

• The intruder gained access when someone fell victim to a phishing attack, where authentic looking emails included a link that redirected the user to a fake login page. On that page, the user entered network credentials giving access unknowingly to the attacker.

Remember never to click links or attachments that you are not expecting. Contact the sender by phone, paying a personal visit, or by completely newly created email message to confirm the link before opening. Replying to the sender will likely just send you back to the hacker, who will indeed confirm it, if you choose that method. That’s why a new message is the way to go, if you want to use email for confirmation. If you don’t know the sender, don’t bother clicking or confirming. If it truly is important, they’ll contact you again.

We don’t know what the email stated, but it was apparently authentic enough that some fell for it. If you are ever asked to verify account information or credentials, go directly to the related account and do so, rather than clicking a link in an email message.

The district has been contacting affected individuals, but it’s recommended that everyone in the school district keep a close eye on credit reports and health benefits statements. If you have the option to freeze your credit, you should seriously consider it. Just keep in mind that freezing access to your credit reports not only prevents potential fraudsters from gaining access to them, but it also prevents you from getting to them as well for purposes of getting credit or applying for jobs or housing, for example. If you can’t freeze it, consider putting credit monitoring on it, just to be safe. This won’t prevent fraud, but it will give you a head’s up sooner so you can react to it. This goes whether you were notified specifically or not.

So what was unique about this one? Well, the IT team of the district noticed the hacker in October, but didn’t immediately lock him or her out. Instead, they kept watch to see what was happening. While this may have given the criminal more time to steal more information and perhaps get it listed on the Dark Web, it also gave the investigators more time to catch him or her. In fact, a suspect has been identified. No names have been released however, because the investigation is still ongoing, though the access of the intruder has been blocked.

In the future, perhaps this is the way investigations will precede for data breaches. If so, there is a chance that more of the perpetrators will be caught. However, the downside is that if they are not identified, they have the opportunity to collect and potentially sell more data. Is that the right direction? You can decide. It certainly gives us something to ponder.