A Data Breach Hits a San Diego-based Low-Income Preschool Education Provider
Educational Enrichment Systems, Inc. (EES) doesn't look like the most attractive prey for cybercriminals. For the last four decades, EES has developed and offered educational programs to children growing up in low-income families. It's a non-profit organization that works predominantly with toddlers and kids in preschool age, which is a far cry from the faceless corporations and financial institutions that you'd normally expect to see getting hit. Despite this, the cybercriminals did decide to attack EES, and the results could have been pretty devastating.
Hackers compromised an EES employee's email
Last week, EES updated its website and included a link to a data breach notice, which explains what happened exactly. According to it, in August 2019, EES' IT team noticed unusual activity around an employee's email account. The investigation that followed revealed that the initial compromise took place on May 27, 2019, and the hackers retained unauthorized access to the inbox for the next month and a half.
The wording suggests that EES's IT experts know very well what happened, but the notification itself doesn't provide a whole lot in the way of details. It doesn't say, for example, how the hackers managed to get inside the EES employee's inbox. We can only guess whether it happened because of a weak password, a phishing attack, or a vulnerability in EES' email systems. We are left with no idea why the hackers moved out in mid-July, why EES didn't learn about the attack until late-August, and why the general public is informed about it now, more than five months after the breach's discovery.
"No evidence" of data misuse, but it pays to be careful
What the breach notice did tell us is what sort of data was potentially put at risk. As it turns out, the compromised email account held quite a lot of sensitive information, including names, email and physical addresses, Social Security Numbers, financial and health insurance data, educational records, and medical histories.
The educational service provider did point out, however, that the investigation has revealed "no evidence" of the data being accessed or misused. That said, the potential danger of having these details exposed is so huge, that taking any chances isn't a very good idea.
That's why, EES is in the process of informing every single affected individual, and the data breach notice includes a rather extensive list of precautions people can take in order to minimize the chances of identity theft.
Because the actual scope of the breach remains unknown, anyone who has worked with EES in the past should take a look at these steps and consider what they can do to keep themselves safe. For the rest of us, this incident should serve as yet another reminder that even organizations that do admirable work and help communities can be targeted by cybercriminals. As you can see, employees and volunteers working for these organizations are often the first to be compromised, and it's especially important that they know the risks.