Victoria school district officials plan to notify about 32,250 people about a potential data security incident that may have involved a breach of their personal identification information.
“We have no evidence any information has been misused,” said Shawna Currie, district communications director.
A letter was mailed Wednesday to those people, including some of the district’s employees, applicants and former and current students, to let them know their information, including names, addresses, Social Security numbers, government issued identification numbers, financial account information and medical information, could have been compromised.
The district’s system was not breached, she said. However, emails within some of its employees’ email accounts were accessed without authorization in fall 2017, which may have contained personal information.
“None of the incidents were done with malicious intent,” she said. “If we found at some point an employee did do something malicious, then there would be consequences.”
Currie said the first instance involved an employee who connected to their email account through an unsecured wireless network.
“When they logged in, someone on the network was able to get their credentials,” Currie said. That person then sent out emails that appeared to come from that employee.
The other two instances involved phishing emails that looked similar to Dropbox or DocuSign, she said.
When the employees clicked the links, they input their login credentials not realizing the emails were not legitimate. After their login information was compromised, other spam emails were sent to other district staff.
District officials discovered the breach based on the emails that were sent out after the login information was compromised, Currie said. All affected employees were required to reset their email passwords and set up multi-factor authentication for email access.
An investigation was also conducted to determine what information may have been stored in the affected email accounts, she said.
The district’s technology department also sent notices to employees to recognize phishing threats. Other layers of security were added districtwide to prevent similar situations from happening in the future.
The district is offering credit monitoring and identity theft protection services through ID Experts at no cost for those potentially harmed.
Currie said employees do have a technology policy in their handbook and cyber education is also provided to staff members. Additional ways to build on training and information are being considered.
“Technology is always changing,” she said. “It’s important to know we regret it happened. Since it did, we are taking steps to notify everybody, give them some sort of protection and take steps to do what we can to prevent it from happening in the future.”