14 DAY TRIAL // Omaha Public Schools, the largest school district in Nebraska, notified over 4,300 current and former employees that their information might have been compromised by hackers.
The attack was discovered on December 21 and affected the database of the Omaha School Employees' Retirement System.
The computer forensics firm contracted to investigate the incident was unable to determine if the personal details stored within were accessed or copied.
"While we are unable to confirm that unauthorized access actually occurred, we are concerned that it did," the system's executive director, Michael Smith, told the Omaha World-Herald.
Of course, with the impact unclear the district had to assume the worse and treat this as a data breach and notify the affected individuals that their records were exposed.
The database, which has since been taken offline, contained names, dates of birth, Social Security numbers, years of service and beneficiaries. Bank or credit card information was not affected.
Smith said the incident concerned a SQL injection attack that targeted the administrative account. "We have yet to be able to prove to ourselves that they were unsuccessful," he noted.
Also known as SQLi, this type of attack allows hackers to execute rogue SQL queries by exploiting input validation weaknesses in code that interacts with the database.
SQL injection vulnerabilities are the result of poor programming and are relatively common. Unfortunately, exploiting them can have far-reaching consequences.
Because the level of personal information possibly exposed can be used to perform identity theft, notified individuals are strongly advised to place fraud alerts on their credit files.
Fraud alerts last 90 days and can be placed for free with any of the three major credit reporting agencies, Experian, Equifax and TransUnion.
Creditors are required to perform more extensive checks when receiving applications for flagged identities. People can also request one free credit report per year from each of the agencies.