San Diego Unified School District (SDUSD) suffered a ransomware attack discovered around October 25, 2022, compromising the personal and health information of students and employees. The breach exposed sensitive data, leading to a class action lawsuit alleging negligence in cybersecurity protections. Affected individuals including California residents, employees, and students (or their guardians for minors) were notified of potential risks such as identity theft and fraud. The settlement offers victims up to $2,500 in compensation (covering out-of-pocket losses, lost time, and extraordinary expenses) alongside one year of free credit monitoring. The attack’s fallout included financial burdens for victims, reputational damage to SDUSD, and operational disruptions, though no evidence suggests the stolen data was misused for large-scale fraud or systemic harm. The district denied liability but settled to avoid prolonged litigation, with payouts contingent on court approval.
Source: https://www.claimdepot.com/settlements/sdusd-data-settlement
San Diego Unified School District cybersecurity rating report: https://www.rankiteo.com/company/san-diego-unified-school-district
"id": "SAN0903509112225",
"linkid": "san-diego-unified-school-district",
"type": "Ransomware",
"date": "10/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Students and employees '
'(California residents who '
'received breach notification)',
'industry': 'Education (K-12)',
'location': 'San Diego, California, USA',
'name': 'San Diego Unified School District (SDUSD)',
'type': 'Educational Institution'}],
'customer_advisories': 'Eligible individuals can claim up to $2,500 plus '
'credit monitoring; minors can receive $40 cash '
'payment',
'data_breach': {'data_exfiltration': 'Likely (ransomware attack)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (includes health information)',
'type_of_data_compromised': ['Personal Information',
'Health Information']},
'date_detected': '2022-10-25',
'description': 'California residents who received a mailed notification from '
'San Diego Unified School District that a data breach '
'discovered around Oct. 25, 2022, may have compromised their '
'personal information could be eligible to claim up to $2,500 '
'plus credit monitoring from a class action settlement. The '
'breach involved a ransomware incident that exposed personal '
'and health information of students and employees.',
'impact': {'brand_reputation_impact': 'Class action lawsuit and settlement',
'data_compromised': ['Personal Information', 'Health Information'],
'financial_loss': {'attorneys_fees': '$320,000',
'credit_monitoring_costs': None,
'extraordinary_expenses': {'conditions': ['Actual, '
'documented '
'and '
'unreimbursed '
'monetary '
'loss',
'More '
'likely '
'than '
'not '
'caused '
'by '
'the '
'data '
'incident',
'Occurred '
'between '
'Oct. '
'25, '
'2022, '
'and '
'Jan. '
'13, '
'2026',
'Subject '
'to '
'reasonable '
'efforts '
'to '
'avoid '
'or '
'recover '
'the '
'loss'],
'max_amount': '$2,000 '
'per '
'person'},
'ordinary_losses': {'covered_expenses': ['Credit '
'reports',
'Credit '
'freeze '
'fees',
'Card '
'replacement '
'fees',
'Late '
'or '
'over-limit '
'fees',
'Interest '
'on '
'payday '
'loans',
'Bank '
'or '
'credit '
'card '
'fees',
'Postage, '
'mileage '
'and '
'other '
'incidental '
'expenses',
'Costs '
'associated '
'with '
'credit '
'monitoring '
'or '
'identity '
'theft '
'protection',
'Lost '
'time '
'($20/hour '
'for '
'up to '
'4 '
'hours)'],
'max_amount': '$500 per '
'person'},
'service_awards': '$10,000 total',
'total_settlement_fund': None},
'identity_theft_risk': 'High (credit monitoring offered)',
'legal_liabilities': 'Settlement agreement to resolve class action '
'lawsuit',
'systems_affected': ['Computer Systems']},
'initial_access_broker': {'high_value_targets': ['Personal Information',
'Health Information']},
'investigation_status': 'Settled via class action lawsuit (final approval '
'pending as of Feb. 6, 2026)',
'post_incident_analysis': {'corrective_actions': 'Settlement agreement '
'(credit monitoring, '
'financial compensation, '
'denial of wrongdoing)',
'root_causes': 'Alleged failure to adequately '
'protect personal and health '
'information'},
'ransomware': {'data_encryption': 'Likely (ransomware attack)',
'data_exfiltration': 'Likely'},
'references': [{'source': 'Class Action Settlement Notice: G.W., et al. v. '
'San Diego Unified School District'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled'},
'response': {'communication_strategy': 'Mailed notifications to affected '
'individuals'},
'stakeholder_advisories': 'Mailed notifications to affected individuals; '
'settlement claims process open until Jan. 13, 2026',
'title': 'San Diego Unified School District Data Breach Settlement',
'type': ['Data Breach', 'Ransomware Attack']}