SAN DIEGO (KGTV) — California school districts have been targets of data breaches in recent years, and schools in San Diego County are no exception.
San Diego and Sweetwater—the two largest districts in the county—have suffered from cybersecurity incidents in recent years.
Sweetwater Union High School District suffered a data breach in February but did not confirm it until June. The unauthorized person accessed and took sensitive files from the district’s network systems from Feb. 11 to Feb. 12 of this year, according to the district.
“The District reviewed the files that may have been taken and on May 12, 2023, unfortunately, the District determined some personal information of current and former employees, dependents, students, families, and others who provided information to the District was included in the potentially taken files,” a spokesperson with SUHSD confirmed.
Michelle Beale, an employee at the Sweetwater Union High School District, told ABC 10News in June she received a letter saying her information may have been compromised by the breach.
“The sooner you tell us, the sooner we’re able to then do what we need to do to protect us,” Beale said.
The Government Accountability Office reported monetary losses to school districts ranged from $50,000 to $1 million dollars per cyber incident. Learning loss following a cyber attack could range from days to weeks.
Cybersecurity expert Ronnie Rast, a Senior Business Development Manager for Independent Security Evaluators, said that school districts' technology infrastructure is vulnerable.
“Schools don't have a lot of budget or funding for basic security measures, so it's kind of like an easy target for these attackers,” Rast said. “These nefarious actors are getting social security numbers, they're getting student names, social security numbers. They're getting in some cases, medical information.”
SUHSD is now facing a class action lawsuit. The suit alleges that the district failed to adequately secure important information. It's being accused of invasion of privacy, negligence, and violating the confidentiality of the Medical Information Act.
The district, in its release, maintained that there was no evidence of misuse of private information.
“Individuals should immediately report any suspicious activity to the appropriate financial institution or agency,” the release said.
The school district has not answered questions from 10News regarding the specifics of the data breach.
“Following one of these data breaches, the repercussions can be long-lasting. They can take a long time to be discovered,” said April Strauss, an attorney representing the plaintiffs in the lawsuit . “In fact, data of minors is particularly attracted to cyber thieves. Most of us don't really check the credit scores of our children.”
Strauss said that offering people a year of free credit monitoring "does nothing to maintain robust security in the future."
10News reached out to several other local school districts to ask about how they are handling the threat of data breaches but did not hear back.
The topic of cybersecurity in schools has been of interest at a federal level. The White House recently held its first cybersecurity summit focused on K-12 schools with experts from San Diego among the panelists.
Terry Loftus, the assistant superintendent and Chief Information Officer at the San Diego County Office of Education, was one of the speakers. Loftus said that having a discussion at the event alongside prominent people draws attention to the topic of cybersecurity.
He agrees that funding is a challenge, especially as districts are funded through the Local Control Funding Formula.
Recently, FCC announced a $200 million pilot program that will help funding for cybersecurity protections in schools.
“It's money that needs to be utilized for everything that our students need to grow in to achieve," he said. "Communities give input [to] parents, administrators, staff, students themselves, but that includes everything... Cybersecurity really hasn't ranked high up there as far as the needs.”
At a minimum, schools need a password policy and two-factor authentication, according to Rast. He also said training, like simulating phishing attacks, is critical.
Loftus said parents should talk to their kids about cybersecurity, and students can start learning about the topic as early as the second grade.