The Grinch is looking better every day. He only stole Christmas! Soon before the new year, hackers stole from the San Diego Unified School District ten years’ worth of records containing personal identifying information on 500,000 students and staff. Board members need expert training to comply with a sufficiently defensive technology policy.
The incident marks one of the all-time largest data breaches of a school district.
According to ZDNet, the hacker gained access to the district’s network over the 10-month period commencing November 1, 2018. In that time period, he grabbed data on students and staff going back ten years to the 2008-2009 academic year.
The extent of the damage is almost unfathomable. The Washington Post reports that “[t]he data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals. … Additionally, some 50 district employees had their log-in credentials compromised…” ( ) . The stolen data included all of the following:
- Student and staff’s PIN: first and last name, date of birth, mailing address, home address, telephone number.
- Student enrollment information: schedule, information on disciplinary incidents, health information, school(s) attended, transfer information, legal notices on file, attendance data.
- Student and selected staff Social Security Number and/or State Student ID Number.
- Student and staff parent, guardian and emergency contact personal identifying information: first and last name, phone numbers, address (if known), email address, employer information.
- Selected staff benefits information: information on health benefits enrollment, beneficiary identify, dependent identity, and savings or flexible spending accounts.
- Selected staff payroll and compensation information: paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information.
How Did the San Diego Breach Occur?
What could possibly account for the theft of so much critical data? According to ZDNet, “[t]he breach occurred because the attacker gained access to staff credentials via a tactic known as phishing — sending authentic-looking emails that redirect users to fake login pages where attackers collect login credentials.” Phishers thereby gain access to the entire contents of a data network via a single e-mail.
Alert employees finally brought the heist to a close. Some of them did not click on the compromised emails, reporting to IT that they looked suspicious. That prompted IT to investigate further. In October, they discovered the breach and brought it to an end. If nobody had reported suspicious emails, the hackers could still be digging deeper in the databank for yet more confidential information. If more of the email recipients could recognize a spurious source, IT might have shut down the operation long before the cybercriminals collected half a million confidential data points.
The moral of the story is that trained personnel are essential to system-wide protection. The leverage of proper training is multiplied significantly for board members. After all, their email addresses are often posted on the district website, and they often handle the very most sensitive information in the district. Nonetheless, a 2018 nationwide NSBA survey of 482 school board members revealed that 67% of them sit on boards that require no cybersecurity-related training whatsoever, 26% of them have no idea if their board requires such training (which means they probably do not), and only 12% of them receive mandatory cybersecurity training. To batten down the hatches, board members need frequent training by trained experts to comply with a firm technology policy.
Consulting the right people is key, as many districts rely on lower-level IT staff to handle computer questions on a one-off basis, in the absence of a deliberate policy or board training. Best practice includes having an IT/IS officer: (1) establish a technology policy; (2) oversee board communications accordingly; and (3) train the board how to comply as they go about their everyday board business.
- A Technology Policy. Such a policy sets limits on technology use in the interest of reducing exposure to cybercriminals. Research on cybercrime indicates that an informed technology policy would dictate that no stakeholders may download any board business onto a personal device or a home computer, that no district documents may appear on public file-sharing sites, and that using email for board business is banned.
Some board members think email from an address issued by the district on its network “feels safe.”They are tragically mistaken. Such an address entices phishers the most, as it promises a cornucopia of sensitive district information if the hacker can gain entry.
- Board Communication Oversight. An IT expert should conduct a comprehensive inventory of the ways that board members share matters of board business with each other, with external stakeholders, and with the public. Their study would include:
- Where and how files are stored (Google Docs and the like are wholly unsecured);
- What devices readers use to see documents (Personal devices often lack proper security);
- Who sends emails (wholly unsecured without a fully-encrypted private server); and
- Whether texting is used. (Texting apps that come on phones lack the protections of texting apps that come bundled with secure board portal software.)
Despite the urgent need for such professional oversight, only 37% of NSBA survey respondents have an IT officer, IS officer, data security team or Audit or Risk Committee monitoring board communication; 27% of respondents have such a professional monitoring the board’s compliance with district communication guidelines per se; and 17% know that they do not have such professionals monitoring those communications. A full 47% don’t know if such experts monitor that compliance.
An executive-level IT expert (ideally the same on overseeing board communications) should routinely train the board, whether or not she actually sits on the board. (A growing number of districts have deemed information technology an essential skill set to have consistently represented on one seat on the board.) The recognition that school boards need this level of professional in the game parallels the private-sector realization that technology must be considered an enterprise-wide C-suite concern.
Extensive training must be built into the board’s routine. The NSBA survey revealed that 40% receive of school board members get such training only once in their tenure, while 60% get training once a year. Even an annual schedule is not enough. The best practice is toold training four times a year – or twice, at a minimum. “Tabletop” exercises can reinforce the lessons.
The San Diego heist serves as a wake-up call. School boards need technological communication training by experts to comply with a district-wide technology policy.