On November 7, 2016, an employee of the San José Evergreen Community College District (SJECCD) accidentally uploaded a file containing sensitive personal information of students to a publicly accessible folder on the college’s website. The exposed data, discovered and reported by the California Office of the Attorney General on December 2, 2016, included names, dates of birth, and Social Security numbers (SSNs). The breach occurred due to human error, with the employee failing to secure the file properly, leaving it vulnerable to unauthorized access. The incident posed significant risks to affected students, as SSNs and personal identifiers are prime targets for identity theft, financial fraud, and phishing attacks. While there was no evidence of malicious exploitation at the time of reporting, the exposure of such sensitive data could lead to long-term consequences for victims, including credit damage, unauthorized account openings, or targeted scams. The college likely faced reputational harm and potential legal or regulatory scrutiny under data protection laws, particularly given the involvement of government reporting. The breach underscored the importance of employee training on data handling protocols and the need for technical safeguards (e.g., access controls, automated scans for exposed files) to prevent similar incidents. No ransomware or external cyber attack was involved; the root cause was internal negligence in securing confidential records.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-65161
TPRM report: https://www.rankiteo.com/company/sjeccd
"id": "sje032090625",
"linkid": "sjeccd",
"type": "Breach",
"date": "11/2016",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Students (Number Not Specified)',
'industry': 'Higher Education',
'location': 'San José, California, USA',
'name': 'San José Evergreen Community College District '
'(SJECCD)',
'type': 'Educational Institution'}],
'attack_vector': 'Human Error (Inadvertent Public Exposure)',
'data_breach': {'data_exfiltration': 'No (Data Exposed via Public Access, Not '
'Actively Stolen)',
'personally_identifiable_information': ['Names',
'Dates of Birth',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High (Includes SSNs)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2016-12-02',
'date_publicly_disclosed': '2016-12-02',
'description': 'An employee inadvertently uploaded a file containing personal '
'information of students to a publicly accessible folder on '
'the SJECCD website. The exposed data may have included names, '
'dates of birth, and Social Security numbers.',
'impact': {'brand_reputation_impact': 'Potential Reputation Damage (Sensitive '
'Data Exposure)',
'data_compromised': ['Names',
'Dates of Birth',
'Social Security Numbers'],
'identity_theft_risk': 'High (SSNs Exposed)',
'systems_affected': ['SJECCD Website (Publicly Accessible '
'Folder)']},
'post_incident_analysis': {'root_causes': ['Human Error (Employee '
'Misconfiguration)',
'Lack of Access Controls for '
'Sensitive Data']},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential Violation of '
'California Data Breach '
'Notification Laws (e.g., '
'CA Civil Code § 1798.82)'],
'regulatory_notifications': ['Reported to '
'California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public Disclosure via California '
'Office of the Attorney General'},
'title': 'San José Evergreen Community College District Data Breach (2016)',
'type': 'Data Breach',
'vulnerability_exploited': 'Improper Access Controls (Publicly Accessible '
'Folder)'}