The personally identifiable information (PII) of thousands of people may have been compromised after a school district email account was breached. Idaho’s Nampa School District (NSD) has informed more than 3,900 former and current employees of the security incident, which was discovered after the account started to send spam emails.
The affected account contained the PII of 3,983 past and present NSD workers, including names, Social Security numbers, dates of birth, and, in some cases, financial information. Those affected have been informed, as have the relevant authorities.
NSD responded promptly, securing the compromised account within two hours of discovery and launching an investigation. It concluded that the unauthorized third party was outside the US and that only one email account was affected.
An NSD spokesperson said:
While we sincerely believe that no personal data has been compromised in this incident, the district is erring on the side of caution by notifying all current and past employees whose personal information may have been viewed or copied in connection with that account.
Additionally, NSD has enabled Data Loss Prevention in Office 365, which detects the transmission of sensitive personal data; has updated its retention policy for district emails; is initiating new password requirements; and has required some users to utilize multi-factor authentication. The district also has new cybersecurity awareness training requirements that will be sent to all employees.
Complimentary credit monitoring services have also been provided for those affected.
Based on the reports, it is likely that the user of the affected email account fell victim to a phishing attack. The most important line of defense against a phishing attack is the email recipient. If your staff are able to identify and correctly respond to a malicious email, the danger can be mitigated.
Increase staff awareness
Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information, or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.
To determine how vulnerable your organization is to phishing threats, consider running a Simulated Phishing Attack. This service provides an independent assessment of employee susceptibility, and benchmarks your security awareness campaigns.