Who: Carmel Unified School District

When:15 Mar 2019

# of records involved: Several hundred employees

What happened: Unauthorized access to some email accounts within the district.

How did it happen: A successful highly sophisticated phishing attack and difficult to identify by the employees receiving emails allowed access to an employee’s email account that had a limited number of documents. Those documents may have contained employees’, spouses’ or dependents’ information such as social security numbers, marriage certificates, birth certificates and doctor’s notes excusing employees from work or authorizing them to return to work, which also included sensitive medical information.

Outcome: The (Monterey County Office of Education) team took decisive steps to actively remove phishing email from our systems with Carmel Unified, we collaborated by sending strategies. Carmel Unified has done a great deal of analysis and we have had a mutual exchange of information. Carmel Unified does not have a way to determine whether or not any particular information within the account was accessed. Our investigation has not found any evidence that this incident involves any unauthorized access to or use of any of the (Carmel Unified School District’s) internal computer systems or network. Please note, we are not aware of any fraud or misuse of your information as a result of this incident.