Phishing Scam Hits Carmel Unified School District
The Carmel Unified School District in the state of California has reportedly been hit by a phishing scam.
Reports say that the Carmel Unified School District has sent out an email to employees notifying them of this attack; the email reportedly informs them that there has been unauthorized access to some email accounts within the network.
Juan Reyes, who covers education for The Monterey Herald, reports, “Paul Behan, chief technology officer at Carmel Unified, said a successful phishing attack gained access to an employee’s email account that had a limited number of documents.”
In his report, Juan Reyes writes that these documents may have contained personal data of employees, spouses or dependents. The personal data might include birth certificates, social security numbers, marriage certificates, doctors’ notes excusing employees from work or authorizing them to return to work etc. (The doctors’ notes, he observes, also includes sensitive medical information).
At the same time, a different letter has been sent to a group of several hundred employees affected by the phishing attack; this letter notifies them that their personal information has been leaked due to malware.
It was in January that the authorities became aware of the phishing attack, which is said to be widespread and well-crafted. The Monterey Herald report says, “Jessica Hull, a spokesperson for Monterey County Office of Education, said a widespread well-crafted phishing attack struck throughout Monterey County, including the Office of Education, Carmel Unified and other districts… Hull said it was a highly sophisticated attack and difficult to identify by the employees receiving emails.”
Jessica Hull has clarified that the team at the County Office of Education has taken steps to remove the phishing email from the systems and strategies have been planned in collaboration with Carmel Unified.
The Monterey Herald quotes from the letter, posted on the DataBreaches website and prepared by CTO Paul Behan and network administrator Rob Perry-“ Our investigation has not found any evidence that this incident involves any unauthorized access to or use of any of the (Carmel Unified School District’s) internal computer systems or network. Please note, we are not aware of any fraud or misuse of your information as a result of this incident.”
The letter also lists the steps that Carmel Unified has taken. This includes identifying the characteristics of the phishing message, removing copies of the message from users’ inboxes etc. At the same time, the district has adjusted its mail system settings to enhance the detection of similar phishing emails and has also reset employee passwords after notifying employees. In collaboration with the Monterey County Office of Education, the Carmel Unified School District is working to improve data security and is also auditing things like encryption, email storage, document transfer etc. Plans are afoot to develop better cybersecurity training for the employees, which would definitely help check phishing scams to a great extent. The Monterey County Office of Education, in a bid to prevent future attacks, has reportedly made adjustments in its firewall.
Quite recently, there were reports of other such cyberattacks as well. A data breach at San Diego Unified School District that was detected in December had impacted the personal data of over 500,000 individuals and a phishing scam that hit the Teton School District in December caused a loss of $784,000 (of which $484,000 was recovered later).
In his report, Juan Reyes observes, “Since January 2016, there have been 429 cybersecurity-related incidents against K–12 schools including ransomware attacks, according to the K–12 Cybersecurity Resource Center…In 2016, EdTech Insider reported analysis from the Department of Education showed 60 percent of K–12 schools hit with ransomware decided to pay attackers in order to get back control of their data.”