Records reveal new information about Sweetwater Union High School District data breach

CHULA VISTA (KGTV) — New records reveal how widespread a data breach was at the Sweetwater Union High School District.

Information given to ABC 10News through a request from the California Public Records Act shows more than 22,000 people were affected by the breach, and the district paid a ransom to the alleged hackers.

It was in February 2023 when ABC 10News first learned of what was called an “incident” affecting internet access at the district. At the time, parents and employees were the ones to first share that information.

A February 14 text from the district spokesperson to ABC 10News confirmed the “information technology system outage.”

The district sent a letter dated June 23 to local news outlets about the incident. At that time, the school year was over and it was more than four months after the system outage.

It confirmed an “unauthorized person gained access to the district’s computer network.”

Following a CPRA request filed June 24, ABC 10News received hundreds of documents from the district at the end of September.

An email dated May 13, 2023, from a law firm to at least two district officials stated 12,522 people who will require notification about the breach, “including 12,293 who had their Social Security number impacted and will be offered credit monitoring.”

It also said, “In addition, 9,842 students were identified as having had name, date of birth and/or email address impacted.”

In a section titled “Incident Description,” there were more details revealed about the incident.

“On February 12, 2023, SUHSD discovered that its email was inoperable. After investigating, SUHSD discovered that 20 of its servers were encrypted and ransom notes were found on 81 servers and several printers.”

According to the document, the initial ransom demand was $1.5 million. “Payment to the treat actor in the amount of $175,000 was completed on March 2, 2023,” the email stated.

Numerous employees told ABC 10News the district did not give them any idea on the scope of the breach.

Employee Michelle Beale acted right after she found out about the February incident, even though details were scarce at the time.

“I got the foresight when we first got wind to freeze our credit and luckily, we did, because inquiries had been made in my husband’s credit to try to open accounts in his name,” Beale said.

Cybersecurity expert and University of San Diego professor Nikolas Behar said incident response can take several days, but school districts should be prepared for any scenario.

“It’s really important for organizations to have a plan to respond to incidents because if they don’t have a plan, then something’s going to happen, and they’re not going to know exactly what to do,” Behar said.

Behar said federal law requires publicly traded companies to notify affected parties of material data breaches within days, but he said that same law does not apply to the education sector.

The district is facing a class-action lawsuit over this incident. In response to the legal action, attorneys representing Sweetwater filed a demurrer, saying the plaintiffs failed to state “sufficient facts” or “meet the high bar necessary to allege a constitutional invasion of privacy.”

ABC 10News asked for a follow-up interview from the school district, inquiring if everything was resolved with the breach and if the superintendent would be available for an interview about security measures. A spokesperson responded saying the district does “not have an update to share.”

“The district is paying for one year of credit monitoring. Thereafter, who has to pay for that credit monitoring? We do,” Beale said.

To help protect your information, cybersecurity experts encourage you to use two-factor authentication and utilize strong passwords. If you are affected by a breach, check not only your credit, but also your children’s credit.