The San Diego Unified School District has confirmed new details regarding the timeline of its "cybersecurity incident" in a report it filed with the state Attorney General's office on Dec. 12.
The sample data breach letter filed with the Attorney General's office confirms that the cybersecurity incident occurred Oct. 25, five weeks prior to the district first notifying employees and student families.
The letter was provided to the Attorney General's office, in compliance with California Senate Bill 24, and serves as an example of the letter the district must send to individuals it determines were subject to the breach.
Related Coverage
Get top local stories in San Diego delivered to you every morning. Sign up for NBC San Diego's News Headlines newsletter.
According to the letter, the district's investigation into the incident determined on Nov. 23 that files included in SDUSD's systems were taken.
The district "determined that the stolen data may include [a person's] name, Social Security number, health plan information, and/or direct deposit information," the letter adds.
In a letter shared with NBC 7 by district employees last week, Dennis Monahan, the district's Executive Director of Risk Management & Captive Insurance, wrote that it had been determined "that the data involved includes personal information of many current and former employees who have been employed with the district since 2020."
The letter included in the district's Attorney General filing also states that the district has "implemented additional security measures to enhance our existing cybersecurity protocols," but doesn't specify what those measures include.
The district also confirms the letter that it will offer a complimentary one-year membership to an identity monitoring service for victims of this breach.
SDUSD still has released very few details about the actual incident, but said "critical systems" were still operational and there was no impact on their safety and emergency mechanisms at any schools or offices.