If you are a current or former employee or student, or their spouse, dependent, or family member, associated with Sweetwater Union High School District (SUHSD), you might have received one or more letters notifying you that your personal information may have been stolen in a cyberattack that occurred in February 2023.
SUHSD waited until late June and early July 2023 to notify current and former employees and students of the data breach. Despite having four months to investigate the breach and determine precisely what data was stolen, the District’s notice was vague on the details of the breach, only noting that “some personal information of current and former employees, dependents, students, families and others who provided information to the District was included in the potentially taken files.” In addition, it seems some of the data breach notices were mailed to the wrong address or addressee. The District just sent a second set of notices allegedly correcting this error and asking that the original misdirected notices be returned or destroyed.
Sweetwater Union High School District Data Breach
According to SUHSD, around February 12, 2023, there was an “unauthorized access” to its computer systems. Following this breach, the District started an investigation.
In April 2023, the District contracted the services of Logicalis, a United Kingdom-based IT company, to install two-factor authentication access to the District’s computer systems. SUHSD’s implementation of two-factor authentication after this data breach, particularly when there had been an earlier breach in September 2022 of the same systems, raises serious questions about whether the District had sufficient cybersecurity measures in place before the recent breach.
While not expressly admitting being subject to a cyberattack on or about May 12, 2023, SUHSD’s investigation determined “some personal information” of the District’s current and former employees and students, as well as their spouses, dependents, and other family members, was stolen during this breach. SUHSD has provided no information about the details of this data breach, just the vague statements noted above.
The District also has not provided details on what data was accessed or taken. Depending on how the District maintained its systems, the data could also include medical information such as workers’ compensation, disability or health benefit claims, direct deposit, or other financial information for employees.
SUHSD has also refused to reveal the number of people whose “personal information” was stolen from its computer systems. SUHSD has over 39,000 high-school students and 4,000 staff members in over 30 schools. The District also serves over 30,000 adult learners, who were the subject of an earlier breach last year. Because the data breach involved the personal information of spouses, dependents, or other family members of current and former employees and potentially the data of some current and former students or their family members, the number of victims could be in the tens of thousands. As the investigation continues, more individuals may be identified as having had their data stolen.
In a June 23, 2023, statement regarding the breach, SUHSD said it had put security measures into practice “(t)o prevent something like this from happening again.” However, the District has not disclosed what security measures were in place before the data breach. Nor has the District stated whether this was a ransomware attack and whether any ransom payment was made. The FBI warns against paying a ransom in response to a ransomware attack as it is a known practice of ransomware attackers to re-sell stolen personal information on the dark web.
Student Social Security numbers are particularly attractive to cyber-criminals because parents seldom check their children’s credit reports. Unfortunately, thieves know that an SSN stolen from a minor may be used for years to establish a false identity without being discovered. In addition, school districts may have student files with sensitive medical and psychological information about students. Schools regularly collect and process this ultra-sensitive information for students with IEPs or 504 plans and for those who have submitted medical forms to participate on school sports teams.
This cyberattack against the District was foreseeable. There were prior warnings based on similar cyberattacks on several Southern California school districts before the SUHSD incident. Cyberattacks on school districts, universities, and municipal governments have become commonplace, as such entities typically store significant personal information and rarely segregate or delete old data. According to an announcement posted on the California Attorney General’s website, SUHSD suffered a past cybersecurity incident in September 2022, the details of which have not been publicly provided.
SUHSD’s Data Breach Response
Under California law, school districts like SUHSD that maintain personal, financial, and medical information must take reasonable care in securing this data from cyberattacks. And once personal, financial, or medical information is stolen in a cyberattack, SUHSD must provide timely notice to potentially affected individuals of the breach and details on the type and extent of personal information stolen. The purpose of this notice requirement is so that affected individuals can try to minimize the harm the breach caused or will cause.
SUHSD waited until after the school year ended in late June and early July 2023, over four months after it had learned of the breach, before sending notice of the data breach to potentially affected individuals. SUHSD compounded the harm from the delayed notice by providing very few details about the breach and the type and extent of personal information stolen. And SUHSD has yet to explain the four-month delay in notifying affected individuals about the breach.
In addition, it appears some notices listed the wrong person at a particular address, such that many of those notices were mailed to the incorrect address of persons identified as having had information stolen in this attack. The District, beginning around July 10, 2022, sent out a second set of notices allegedly correcting this error and asking that the original misdirected notices be returned or destroyed.
Following notification of the breach, these steps can help protect you in the wake of the SUHSD data breach.
- Regularly review your credit reports from Equifax, Experian, and TransUnion—access free reports yearly at www.annualcreditreport.com (official site). Report any unrecognized accounts or inquiries.
- Place a fraud alert on your credit files for free via one of the credit bureaus. This requires creditors to verify your identity before changing your accounts or opening new ones. FTC page with more information.
- Think about freezing your credit. It prevents unauthorized access to your credit reports, blocking identity thieves from creating new accounts. This can be done for free with each bureau and is easily unfrozen when you need it. You can use the FTC link above to make these changes.
- Monitor your bank transactions for unusual activity. Immediately report any suspicious or unauthorized transactions to your bank. Consider updating your banking passwords and PINs.
- Avoid phishing emails and calls asking for personal or financial details. If unsure of the legitimacy of a request, contact the sender using verified contact information.
Class Action Filed Over the SUHSD Data Breach
On July 9, 2023, we filed a class action lawsuit against SUHSD in San Diego Superior Court. The class action alleges “in February 2023 (and possibly earlier), SUHSD was subject to at least one cyber-attack and accompanying data breach and theft. This action arises from the negligent or reckless failure by SUHSD to adequately secure the private, personal, financial, and medical information of Plaintiff and all others similarly situated. The class as referred to herein is defined as all natural persons whose data was compromised and/or received or are to receive notice of this attack from SUHSD at some point from February 2023 (the “Class”). SUHSD abdicated its obligation and duty to protect sensitive personal information in its possession … and failed to take steps necessary to prevent such an attack.”
A copy of the class action lawsuit Complaint is available here.
If you are a current or former employee or student of SUHSD or a dependent or family member of an employee or student of SUHSD, and you received notice of the breach from SUHSD or did not receive notice of the breach but have questions, you can contact us. We will be happy to discuss your legal options and rights and the status of the class action lawsuit.