An international hacking syndicate that’s claimed responsibility for the cyberattack on the Los Angeles Unified School District has reportedly released at least some of the information it claims to have stolen during last month’s data breach, ahead of a Monday deadline it previously set for the nation’s second-largest K-12 system to pay a ransom.
Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, tweeted Sunday, Oct. 2, that Vice Society – known for conducting ransomware attacks on educational institutions – had posted data on the dark web it claims to have stolen from LAUSD.
The news follows comments from the district on Friday that it is refusing to cave to the demands of a “criminal organization.”
Superintendent Alberto Carvalho later confirmed Sunday that “data was recently released,” though his tweet did not specify what information – or whether that information is considered sensitive or confidential – was posted.
“In partnership with law enforcement, our experts are analyzing the full extent of this data release,” the tweet said.
Thank you to our students, families and employees for doing their part in the ongoing recovery from this cyberattack. pic.twitter.com/K8VhiFmSbL
— Alberto M. Carvalho (@LAUSDSup) October 2, 2022
Citing an anonymous law enforcement source familiar with the investigation, NBC4 reported that the information released over the weekend included some confidential psychological evaluations of students, contract and legal documents, business records and numerous database entries. Some of the data appeared to contain personal identifying information, including Social Security numbers, the source told the news station.
Parent Alicia Baltazar said in an interview she’s concerned the hackers may have gotten ahold of personal information like her son’s birthdate. Having been a victim of identity theft once, Baltazar recalled the ordeal she went through, saying the latest data breach is “terrifying.”
“Not knowing what info they have access to and what they can do with that is what really has me trembling deep down inside,” she said.
News began circulating Friday that the district had been given a deadline of 4 p.m. Monday to pay a ransom to the group responsible for the cyberattack.
But the district, which has been consulting with the FBI, local law enforcement agencies and cybersecurity experts, doubled down on its insistence that the district won’t bow to the group.
“Los Angeles Unified remains firm that dollars must be used to fund students and education,” the district said in a statement Friday. “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”
LAUSD officials have not disclosed the amount of the ransom demand, though some districts who have been in similar situations have paid upwards of $1 million in the past, according to Doug Levin, national director of K12 Security Information eXchange, a nonprofit that tracks cybersecurity threats among school districts throughout the United States.
Law enforcement agencies generally advise districts not to pay ransom demands because doing so helps the hacker fund its criminal operations and encourages similar entities to target educational institutions, he said.
Callow, of Emsisoft, said in an interview Sunday that L.A. Unified is “absolutely” right not to pay up.
“If they were to pay the ransom, the most they would receive is a pinky promise from Vice Society that the data would be destroyed. There is no way of knowing whether they would actually do that,” he said, noting that some organizations that have paid ransom demands in the past ended up being extorted a second time.
“These people are criminals. They’re not trustworthy,” Callow said.
In LAUSD’s case, neither district officials nor federal investigators have confirmed the name of the group behind the hacking incident, though the superintendent had previously acknowledged that the group is known to law enforcement.
Meanwhile, the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center issued a joint advisory days after the Labor Day weekend cyberattack, warning that they had “recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.” The advisory did not specifically mention LAUSD.
Nevertheless, a number of cybersecurity experts believe that Vice Society, which has reportedly claimed responsibility, is behind the incident.
The organization is responsible for hacking into at least eight other school districts and colleges or universities this year, according to Callow. He also noted that at least 27 school districts and 28 colleges in the country in all have been hit by ransomware in 2022. Of those instances, at least 36 had their stolen data released online, he said.
Some LAUSD parents and district employees complained Sunday that the district was failing to communicate adequately or in a timely manner the latest developments, and some questioned whether the district was being transparent enough about what it knows.
The superintendent previously said the district does not believe employee healthcare or payroll information were compromised, though he has acknowledged that LAUSD’s student information system was “touched.”
“We believe that some of the data that was accessed may have some students’ names, may have some degree of attendance data, but more than likely lacks personally identifiable information or very sensitive health information or Social Security number information,” Carvalho said last month. “It is a containable risk that we’re dealing with here.”
News reports Sunday that the stolen information may in fact contain Social Security numbers stoked fear among those in the schools community.
“We need to know what info got out there so we know what to look for,” a woman named Jeanette tweeted in response to Carvalho’s social media post, accusing the district of keeping people in the dark.
“The silence is not okay. Placating updates don’t tell us anything. We don’t know what to look for,” she wrote in a subsequent post.
She and others on social media said a hotline set up to answer questions or provide assistance to parents and employees is operable during inconvenient hours. The toll-free hotline, reachable by calling 855-926-1129, will run 6 a.m. to 3:30 p.m. weekdays starting this week. Critics say those hours should be extended later in the day and on weekends to accommodate people who work.
In a statement Friday, the district said it would, if appropriate, notify people if their personal information is “impacted” by a release of information and that the district may provide credit-monitoring services.
“We understand that the attack has been an unsettling experience for all of us but this too we will overcome,” the district stated.
