Hacker Steals Ten Years Worth of Data From San Diego School District (zdnet.com) 82
A hacker has stolen the personal details of over 500,000 San Diego Unified School District staff and students, the district revealed in a breach notice posted on its website Friday. From a report: The breach occurred because the attacker gained access to staff credentials via a tactic known as phishing -- sending authentic-looking emails that redirect users to fake login pages were attackers collect login credentials. The attack didn't go unnoticed. Some staff reported the funny-looking emails to IT staff, who investigated and eventually discovered the breach in October this year. District officials said the hacker had access to its network between January 2018 and November 1, 2018, but that he stole student and staff data going back to the 2008-2009 school year.
Re: (Score:1)
Maybe you could read all the way to the second sentence of the summary to see how they did it - it had nothing to do with network equipment.
Re: (Score:1)
The problem is that it's accessible, attractive and people being naive idiots who value convenience over security at every turn combined with a distinct lack of respect for the people whose information gets handled.
Systems like these should be air-gaped, and access to the information should be on a strictly need to know basis, an audit trail of who accessed it, when and why, and heavy punishments for transgressors.
Re: (Score:3)
Is it PENCIL again?
What is of real value? (Score:2)
I am trying to figure what is so valuable of 10 years of school district data? Perhaps some bank information to pay teachers with direct deposit.
What are you planning to do, blackmail students to show they were put into detention 10 years ago, for fighting or talking up to a teacher. Or the fact that you had failed English back in 2001. Most of the data in a school is public information anyways.
Re: (Score:2)
The lifetime educational records of a bunch of up-and-coming suckers^H^H^H^H^H consumers, mostly with practically no experience in making financial decisions on their own? Nope, can't think of anyway that could be monetized.
Re: (Score:2)
I still fail to see why my educational records in elementary school would be any value.
Every year my teachers would say, You will not be able to make it threw the next level of schooling. (They stopped telling me that in Grad School) Mainly due to the fact that I have mild dyslexia, and my writing (still) sucks, where if I am able to express my thoughts via other media I do actually very well. Also I see a lot of A students in my Facebook friends who are in much worse conditions then I am, and are barely
Re: (Score:2)
If you can't spell "through" yet, they obviously shouldn't have stopped telling you that in Grad School....
Re: (Score:2)
Welp, we know you're brain-damaged if social media is the only media you can think of.
Spoken media.
Video media.
Artistic media.
Go back to school and grow up, child.
Re: (Score:2)
they stopped that around the time not college material was drooped. Around the time of NCLB
Re:What is of real value? (Score:5, Insightful)
Names, Addresses, Social Security Numbers, phone numbers, etc etc etc. Any of this information is useful to identity thieves. It really doesn't mater how old it is as long as it can be used to link someone to something at some time. Some things like social security numbers and names never change. Things like past addresses and phone numbers can be used to link someones identity over time.
I'm kind of surprised a school hasn't been hit yet. I would imagine compared to banks and credit unions they would be soft targets security wise.
Re: (Score:1)
Some things like social security numbers and names never change.
Social security numbers are fairly static, but names change with damned near every marriage. Still, it's hugely valuable data, which ties into....
Things like past addresses and phone numbers can be used to link someones identity over time.
Addresses are massively useful, given "stringent" verification of identity mainly consists of, "WHICH ADDRESS DID YOU FORMERLY LIVE AT LOLOLOLOL" questions.
Re:What is of real value? (Score:5, Interesting)
Don't underestimate how little companies might check information before opening a line of credit. When my identity was stolen, the thieves opened a credit card in my name. They had the name, address, SSN, and date of birth right, but the mother's maiden name wasn't even close. This is billed as a "security question," but failing this didn't stop Capital One from opening a card in my name for the identity thieves.
In my case, I found out about it due to a fluke. The thieves paid for rush delivery of the card and THEN changed the address to their own. The rush delivery processed first and the card came to me. Had that processing switched, they would have gotten the card, racked up a ton of debt in my name, and I would have only found out about it when the collections agencies banged down my door telling me to repay what "I" charged.
For the credit card company, dealing with this was as simple as writing it off as fraud and closing the account. For me, it meant dealing with the fallout and freezing my credit permanently (only thawing it when I want to open a new account). Credit Card companies have almost zero incentive to prevent identity theft.
Re: (Score:2)
Re: (Score:2)
It's one of those things that's constantly billed as a "security question" and before my ID theft I naively thought that it provided some level of security. Basically, if you tried to apply for credit in my name and said my mother's maiden name was "Smith", I thought you'd be denied because that's wrong. Instead, mother's maiden name is pretty much ignored. They might as well ask "What's your favorite food" or "Are you reading any good books right now" for all the security it provides. Yet, they still will
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Fairly static? They do not change. They are static, statistically speaking..
Actually a social security number can be changed. For all intents and purposes it requires a act of god but it can be done. I don't know all the instances where it can be done but I have heard of a new one being issued due to a massive case of identity fraud.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Uh, no. Those are the requirements for the initial issuance of a 'Real ID' approved license. If you don't want to present all that stuff you get a regular drivers license, which will not be accepted for ID for domestic flights, etc.
Um, YES (Score:1)
That option is not offered to citizens in my state. If you are a US citizen you are REQUIRED to get a "RealID". I've called and asked the DOT. Even asked them to confirm that, which the nice lady did after putting me on hold for a few minutes.
Only illegals have the option to choose a non-federal ID card, er... I mean "driver's license".
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Thats 500,000 more illegals whenever the SSN getd of age to vote, drive, etc.
Re: (Score:2)
Re: (Score:1)
Names, Addresses, Social Security Numbers, phone numbers, etc etc etc. Any of this information is useful to identity thieves. It really doesn't mater how old it is as long as it can be used to link someone to something at some time. Some things like social security numbers and names never change. Things like past addresses and phone numbers can be used to link someones identity over time.
I'm kind of surprised a school hasn't been hit yet. I would imagine compared to banks and credit unions they would be soft targets security wise.
They ARE easy targets. I work for a school district in a systems engineer position. Posting as AC because I don't need my real name or username visible. It is incredible how many people in upper administration of my district fall for this shit EVERY. GODDAMN. TIME. (Even people who work closely with the superintendent) They send their actual credentials almost every time. They never learn because they don't fucking want to. On top of that, the IT department for my district is run like...like nothing m
Re: (Score:2)
I'm kind of surprised a school hasn't been hit yet.
You really think this was the first time??
Re: What is of real value? (Score:1)
Re: (Score:2)
Phishing should have been so dead, so many years ago. It's a goddam computer. Walk the path of the phishing, and analyze the progression and respond with, "This is not going to turn out well, so I'm not going to allow it until an IT person gets here and authorizes it."
Re: (Score:2)
If you give out your information, count on it being stolen. The solution is not to give it out in the first place. AFAIK, it is not legally required to give a SSN to enroll in public school.
When people or businesses ask for my SSN, I refuse. One doctor insisted, so I took my business elsewhere.
Re: (Score:2)
Re: (Score:2)
As a society we must collectively resist providing data that is not needed. But all the time I see people hand out personal info for no reason at all. When the cashier asks if she can get my telephone number, I simply reply "No" - I do not explain, apologize or make an excuse, just "No."
If I get carded at a bar, I show my ID with the birth date visible. I cover up the number and don't let it our of my hands, no scanning. If everyone did this, organizations and businesses would rein in their data collect
Re: (Score:2)
Re: What is of real value? (Score:2)
Re: (Score:2)
I'm kind of surprised a school hasn't been hit yet. I would imagine compared to banks and credit unions they would be soft targets security wise.
Can confirm. I worked on one project at a community college where they were sending student data in the clear across the open internet, to a remote classroom site. IIRC, the application literally used telnet. I got paid a little bit to quickly set up ssh tunneling, and then I got paid more again to set up IPSEC later. They had a sysadmin who was supposed to do stuff like that, but he knew jack. I was supposed to get his job, but then he bought a second Harley so The People had to pay him instead of someone
Re: (Score:2)
I am trying to figure what is so valuable of 10 years of school district data?
If the student data has birth dates and SSNs, it could be used to open fraudulent credit card accounts. Medical identity theft is a possibility too. Ten years of data? Some of these "kids" are adults now, and looking to finance cars and houses. They may have some serious hassles ahead.
Re: (Score:1)
There is real value (Score:5, Informative)
I was informed by a security expert at a technology convention that personal data (Name, BD, SSN) of children are some of the most valuable data sought after on the dark web. When adults have their security credentials stolen, they discover the theft rather quickly, and any accounts created with the stolen data are shut down in a matter of weeks, giving the stolen credentials little potential value. But children do not check bank account information, or credit card balances, or credit scores until they become adults. Hackers can use that information to bankroll illegal financial activity for years.
Someone enrolled now in preschool may discover 15 years later when they fill out their FAFSA that they owe hundreds of thousands of dollars in unpaid credit card balances and financial loans. San Diego School District will be liable for decades to come.
Re: (Score:2)
Perhaps they think the Permanent Record is real and info they can leverage.
Re: (Score:2)
Yet another reason... (Score:1)
I home schooled my kids... Their school records are not at risk from some underpaid government employee's mistakes.
Not to mention that they got a pretty good classical education and are both excelling in college...
Re: (Score:1)
I home schooled my kids... Their school records are not at risk from some underpaid government employee's mistakes.
Not to mention that they got a pretty good classical education and are both excelling in college...
Congratulations. You should get some stickers for the back window of your Prius.
Re: (Score:2)
I home schooled my kids... Their school records are not at risk from some underpaid government employee's mistakes.
Not to mention that they got a pretty good classical education and are both excelling in college...
Congratulations. You should get some stickers for the back window of your Prius.
If I ever get one, I guess I will. But my pickup truck is going to have to bite the big one and a Prius is going to have to change to look more like a truck first.
Re: (Score:2)
Re: (Score:2)
The first reason we home schooled is to avoid dealing with the liberal bias in education and so we had control over what our kids where being taught. Secondary was that our kids both had learning disabilities that would have made classroom learning difficult for them and being in a school with 2 students and 1 teacher was a clear advantage for them.
So the primary reason was we thought it would produce the best educational outcome for both of them to learn at home. It's hard to know what "could have" been,
Re: (Score:2)
Let's see.
The day after the school shooting in Colorado they expelled my middle son because he owned a trench coat but hadn't worn it for over a year because he out grew it. A truancy officer showed up at my house later that afternoon and apologized because apparently the principle that expelled the kids with trench coats had been suspended and all the expulsions expunged.
The same son was expelled for wearing a pentagram. When I confronted the principle she told me that it was a gang sign and I corrected he
Re: (Score:2)
Re: (Score:1)
Little Bobby Tables strikes again.
Re: (Score:2)
Copied, not Stolen (Score:1)
Copied.The intruder copied the records. If he had stolen them, the district would no longer have them.
So many errors (Score:1)