Sensitive information about students from the Los Angeles Unified School District (LAUSD) began to appear online on Saturday after a cybercriminal gang posted data obtained in a ransomware attack.
The publication of the data was confirmed by LAUSD superintendent Alberto M. Carvalho in a statement released by tweet on Sunday.
“Unfortunately, as expected, data was recently released by a criminal organization,” the statement said. “In partnership with law enforcement, our experts are analyzing the full extent of this data release.”
The ransomware attack that targeted LAUSD — the second-largest school district in the US — occurred four weeks ago over Labor Day weekend. Although it was not immediately attributed by official sources, many signs pointed to a ransomware gang known as Vice Society, which has specifically targeted K-12 education institutions; the hacked data has now been published on the Vice Society dark web site.
The gang issued an extortion demand to the school district on September 22nd, just over two weeks after the attack took place. At the time, Carvalho told local reporters that the information stolen by Vice Society was thought to contain student names and attendance records but “most likely lacks personally identifiable information or very sensitive health information.”
Unfortunately, this assessment may have been overly optimistic. While no details of the contents of the data leak have been officially confirmed, reporting from NBC Los Angeles cited a law enforcement source as stating that the published data included legal records, business documents, and some confidential psychological assessments of students. Bleeping Computer also reports that some of the folder names in the leaked data suggest the contents include Social Security numbers, passport information, and “Secret and Confidential” documents.
Following the advice of law enforcement, Carvalho said from the outset that the school district would not cooperate by paying a ransom. On Friday, a day before the data was released, the superintendent reiterated to the Los Angeles Times that the district would not negotiate with hackers. This statement appears to have prompted the publication of some of the data, which was released two days before the payment deadline initially given by the hackers.
If confirmed, the release of sensitive student information would be a damaging but perhaps also inevitable escalation of the ransomware attack. For any parents, staff, or students affected by the incident, LAUSD has set up a hotline to field questions or handle requests for support. The line will be accessible Monday through Friday between 6AM and 3:30PM PT at 855-926-1129.