Update, 5:37 p.m. Pacific: After a press conference at which the LAUSD superintendent said the district "stopped the attack midstream," LAUSD sent out an email that read in part: "First and foremost, based on the investigation conducted to date, it appears that the impact is not widespread. Some archival data regarding students, including student names, attendance data and addresses have been identified as impacted, but so far we have not identified critical private information. However, Los Angeles Unified’s review of the released data is ongoing. Affected individuals will be contacted by a District representative in the near future." The email also promised that the hotline hours will be expanded "soon."
Shortly after Los Angeles Unified School District (LAUSD) superintendent Alberto M. Carvalho made it clear there would be no ransom payment, cyberattack group Vice Society dumped its stolen data on the Dark Web — days before the group's Oct. 4 deadline to receive payment.
The early September cyberattack disrupted LAUSD's email and other systems, aimed at taking advantage of the busy back-to-school season.
"Los Angeles Unified remains firm that dollars must be used to fund students and education," a Sept. 30 media statement from the district said. "Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate."
Leaked LAUSD Data
The LAUSD statement also said the cyberattack hasn't interrupted student instruction but added that payment processing for contractors and vendors is not yet fully functioning.
The attack group behind the breach, Vice Society, had threatened to leak the data it stole, which included passport details, tax forms, legal documents, COVID-19 testing results, and even information on student psychological evaluations, by Oct. 4. However, after seeing LAUSD's statement, the gang went ahead and leaked the information hours later, days ahead of its own deadline.
Check Point Research, meanwhile, reported that the leak includes more than 248,000 files filled with Social Security numbers, contracts, invoices, passports, and more.
Check Point Researchers provided screenshots of a fraction of the leaked LAUSD data to Dark Reading, including passport files, an invoice for Merrimac Energy Group for what appears to be car fleet maintenance, an individual contractor's W-9 tax form, and ironically, a signed Security of Personnel Information form with a pledge not to misuse sensitive employment information.
LAUSD told Dark Reading it is not providing any new comment beyond its Sept. 30 statement, but Superintendent Carvalho did address the decision not to pay Vice Society's ransom on Twitter.
"I understand there will be many opinions on this matter, but, simply said, negotiating with cybercriminals attempting to extort education dollars from our kids, teachers, and staff will never be a justifiable option," Carvalho's tweet read. "LAUSD refuses to pay ransom."
The district said it arrived at the decision to refuse payment in consultation with the FBI, the White House, and the Cybersecurity and Infrastructure Security Agency (CISA), as well as with the private sector.
Paying the ransom itself is a dicey proposition, and experts warn that paying isn't any kind of guarantee the files will be recovered.
"Paying a ransom is a business-level decision that must taken into consideration when recovering from an attack," Matthew Warner, CTO and co-founder of Blumira said in a statement to Dark Reading. "However, that decision has a far-reaching impact on society that must be weighed as well. Paying a ransom is directly funding criminal enterprises that will turn around and utilize those funds to continue performing attacks."
Having robust backup systems in place helps make that decision much easier, Warner added.
Regardless of the decision about whether to withhold payment, there is no outcome of the LAUSD compromise that won't be expensive for the district, Bugcrowd founder and CTO Casey Ellis explains to Dark Reading.
"The downside of the LAUSD’s decision not to pay the ransom is that there is still going to be money to be paid around the cleanup of this as well," Ellis says. "That is going to cost time, and there is the potential for a significant financial impact."
Cyberattacks Against Schools: An Ongoing Problem
This isn't Carvalho's first school district cyber incident. In 2020, he was superintendent with Miami-Dade public schools when the district's new COVID-19-prompted distance learning efforts were disrupted by a distributed denial-of-service (DDoS) attack. A South Miami high school junior was eventually arrested in relation to the cyberattack, according to local news reports.
Overwhelming data shows Carvalho, along with his education administration colleagues across the country, will need to become accustomed to managing a growing number of cyber threats aimed at schools.
Check Point said that during the month of September alone, a US education organization was facing a weekly average of 740 attacks every week, a full 37% more than the same time last year. In addition, one out of every 98 organizations faced a ransomware attack each week, a rise of 15% over last year, Check Point added.
LAUSD Community Cost
Besides the direct district cost to recover from this specific breach, there is a wide community of students, staff, and business partners who are likely to be affected for years to come.
Warner warned that students, in particular, can expect to be targeted by future phishing campaigns using their data stolen from LAUSD.
Experts recommend anyone who was potentially impacted by the breach should be on the lookout for follow-on attacks and take steps ranging from freezing credit lines, getting a Dark Web monitoring service, changing passwords, and enabling multifactor authentication across all of their applications and websites.
"This incident serves as yet another reminder of why parents and students must make cybersecurity a priority," Darren Guccione, CEO and co-founder of Keeper Security tells Dark Reading. "Two-factor authentication is a powerful and simple way to safeguard accounts from a remote attacker."
LAUSD Community Demands More Response, Communications
Parents and other community advocates are unsatisfied with the LAUSD response so far.
One parent group called Parents Supporting Teachers released a statement saying that the group, which identifies itself as the largest parent advocacy group supporting LAUSD, is "frustrated" by the district's lack of communication about the breach beyond social media statements.
For its part, LAUSD has a new incident response line to answer questions about the cyberattack. But as one frustrated LAUSD parent, an editor with Dark Reading, pointed out, "Hilariously, the hotline only runs from 6 a.m. to 3:30 p.m., so teachers won't be able to call."
Another parent said commented on Twitter they were unable to get through to anyone on the hotline.
"Never got through" they wrote. "Had to hang up."