Los Angeles Unified School District data that was posted on the dark web by an international crime syndicate over the weekend did not contain sensitive personal information, Superintendent Alberto Carvalho announced on Monday, Oct. 3.
“We can confirm at this point, having gone through about two-thirds of the files that were uploaded, we have found no evidence of widespread access or dissemination of employee information that includes personally identifiable information,” Carvalho said. “Based on what we know today, we are able to confirm that the release was actually even more limited than we had originally anticipated.”
A hacking organization known as Vice Society sent a ransom demand to the district last week — after breaking into the district’s systems over Labor Day weekend — threatening to release the hacked data online if LAUSD refused to pay out an unspecified ransom by today, Monday.
The group released 500 gigabytes of hacked data over the weekend in spite of the deadline, following LAUSD’s Sept. 30 announcement that the district would not give in to the ransom demands.
Following release of the hacked data, fears about what information could’ve been breached abounded. Some reports posited that the trove of information included confidential student psychological evaluations, contract and legal documents, and business records containing personal identifying information including Social Security numbers.
“It’s been so frustrating to even think about what has been released and how concerned I need to be,” said LAUSD parent Teresa Gaines in a Monday interview before the district’s announcement. “I’m pretty disappointed that this has happened.”
But, according to LAUSD’s review, the data leaked was a “drop in the bucket” compared to the district’s 1.6 petabyte — or 16 million gigabyte — total trove of data, and contained “no evidence of widespread impact, as far as truly sensitive confidential information,” Carvalho said.
Some student information housed within LAUSD’s MiSiS (My Integrated Student Information) System — including names, addresses, student identification numbers, attendance and academic information — was leaked, Carvalho said. But that data appears to be largely restricted to the 2013-2016 time period.
The hackers also accessed data relating to third-party contractors who work with LAUSD, the superintendent said, which contained some personally identifying information, including passport and driver’s license documentation.
“The vast majority of it was not our personnel, not our employees,” Carvalho said. “We have found no evidence of widespread access or dissemination of employee information that includes personally identifiable information specific to employee Social Security numbers, employee health data, payroll data or the like.”
LAUSD was able to avoid a more disastrous outcome — wherein a larger amount of data containing personal information was hacked — because district IT staff workers identified the suspicious activity and shut down all systems before the hackers could access them, the superintendent said.
“That was the best thing we could have done. By shutting down the systems we basically stopped the intrusion,” he said. “Not only that we shut the doors on them — they left some of their assets within our system, that has provided us with the opportunity to actually learn from this actor based on what they left behind.”
That information will assist LAUSD — and its partnering agencies including the Federal Bureau of Investigation, LAPD and other local law enforcement — as they continue their investigation of the incident to pinpoint the individuals responsible and determine who was impacted.
Carvalho added that LAUSD is “pretty confident” that Vice Society will not release any additional information or attempt another cyberattack, and that “the experience specific to this bad actor has reached its conclusion.”
LAUSD on Monday morning opened a hotline “to assist those from our school communities who may have questions or need additional support,” according to the district. The hotline number, which currently operates Monday through Friday from 6 a.m. to 3:30 p.m., will operate from 8 a.m. to 8 p.m. moving forward, Carvalho said.
The moves comes after some parent and teacher groups lofted criticism that LAUSD failed to maintain proper lines of communication about the cyberattack.
Jenna Schwartz, co-founder of education advocacy group Parents Supporting Teachers and an LAUSD parent, said that the district’s communication since the discovery of the hack in early September has been lackluster.
“Ever since then, the communication has just been woefully inadequate,” Schwartz said in an interview.
The District had not provided substantial updates about the amount of data leaked or what kind of personal information it contained until the Oct. 3 press conference. The updates that were offered, Schwartz said, weren’t given to parents and teachers directly.
“Even right now, the only communication the superintendent has sent out has been on social media,” Schwartz said. “The majority of parents are not on social media — parents shouldn’t be penalized for not following the superintendent on Twitter.”
The district, though, said it would be contacting teachers and parents directly about the latest update on Monday evening following the press conference. Anyone whose data was leaked will be contacted directly by LAUSD in the coming weeks, Carvalho said, adding that those individuals will be offered credit monitoring services to help protect their information moving forward.
“We’re going to leave no stone unturned and anyone impacted shall be contacted by the school district,” Carvalho said.
