Class Action Investigation Continues
Sometime over the next week, more individuals who are former employees of the San Diego Unified School District (“SDUSD”) may receive notices that they were the victims of a cyber-attack on SDUSD servers.
SDUSD announced on June 2, 2023, that it was sending out data breach notification letters to former District employees by June 15, 2023. SDUSD did not explain why data of former employees would remain on its servers and be vulnerable to exploitation and attack.
According to previous reports, this attack took place on October 25, 2022, yet notices were not sent out by SDUSD until early December 2002. This newest round of letters will be sent out almost eight months after this breach took place.
While the number of total people impacted by this expanding breach has not been disclosed, it is likely in the tens of thousands of individuals.
According to SDUSD “the data involved includes personal information of many current and former employees who have been employed with the district since 2020.”
SDUSD admitted they learned of this expanded group in April 2023, yet has waited another two months to advise them that they were also victims of this breach.
The fact SDUSD has waited so long to provide notice to affected consumers is a significant problem, since the longer cyber thieves can go undetected, the more they profit. And the longer SDUSD delays notification, the harder it is for individuals to protect themselves and to confirm the data was from SDUSD.
This is the fourth wave of data breach notices SDUSD has sent out, having revealed back in April this breach also involved student’s medical information and sent out more notices.
SDUSD previously sent employees and students an email in early December informing them of the breach. It then disclosed the breach to the California Attorney General’s office on December 12, 2022, and sent a second group of emails out two days later.
According to SDUSD, it has “determined that the stolen data may include [a person’s] name, Social Security number, health plan information, and/or direct deposit information”.
Individuals should be particularly vigilant with their bank account information, as consumers have reported having their bank accounts compromised through the use of this direct deposit information.
Medical information was also taken, but SDUSD refused to say how many people’s medical information was compromised or what that information was.
Student data is also of particular concern, as California’s Student Online Personal Information Protection Act (SOPIPA) requires that every service used primarily for K 12 school purposes have reasonable security procedures and practices to protect student personal information.
“Student information is something that must be handled with great care. [. . . ] As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.” Source: Kamala Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).
SDUSD has offered a complimentary one-year membership to an identity monitoring service. But this may be inadequate for the protection of Social Security information. Attackers can wait for many years to use personal data, particularly the Social Security numbers of students.
If you are not sure if you may be in this expanded group (or impacted in general) or are concerned you may have been affected by this breach and do not receive a notification letter, you can call 1-855-504-4525 between 8 a.m. and 5 p.m. Monday through Friday for more information.
Recoveries Under California Data Breach Laws Can Be Significant
If you or your student received or receive notice of this breach from SDUSD, they may be entitled to at least $1,000 or your actual damages, whichever is greater, under the Confidentiality of Medical Information Act, depending on whether medical data was taken, as well as other state laws to ensure the conduct do not recur and to provide compensation for victims, who may not know for years if their data was misused or abused.
Stolen data can be bought and sold with the going rate being in the range of $20 per record, depending on the type of information, according to Privacy Affairs Dark Web Index of 2021 (Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021). Medical records are sold for even more.