NAMPA — A person believed to be living outside the United States hacked into a Nampa School District email account, the school district announced Thursday in a press release.
The email account contained information about 3,983 current and past district employees, the release said.
The breach occurred in early February and was secured within two hours of login, said Kathleen Tuck, spokeswoman for the Nampa School District. The district was tipped off to the breach because the account began sending out spam emails, she said.
Upon investigation, the district learned the account had been accessed from outside the country. It affected a single email user and was not a system-wide incident, the release said.
The district has been working with a team of investigators from Navigant, an independent cybersecurity investigation firm, to determine what information may have been accessed. The information stored in the affected email account includes certain individuals’ names, Social Security numbers, birthdates and/or financial account information, the release said.
Representatives of the Nampa School District said they believe no personal data was compromised in the breach. The district is erring on the side of caution by notifying all current and past employees whose personal information may have been viewed or copied in connection with that account.
“We have no lead to believe that any account information was accessed,” Tuck said. “We just want to make sure everyone’s information is secure.”
A letter has been sent to everyone affected, the release said.
The district took steps to address this incident promptly after it was discovered, including initiating an internal investigation and hiring Navigant, the release said.
Additionally, the district has enabled Data Loss Prevention in Office 365, which detects the transmission of sensitive personal data; has updated its retention policy for district emails; is initiating new password requirements; and has required some users to utilize multi-factor authentication, according to the release. The district also has new cybersecurity awareness training requirements that will be sent to all employees.
Employees whose information was included in this account will receive one year of complimentary identity protection services, the release said.