A criminal syndicate largely failed to steal valuable data from the Los Angeles Unified School District, but a small number of individuals had sensitive information published on the Dark Web, Supt. Alberto Carvalho said on Monday.
Analysts were able to verify about two-thirds of the data released on Saturday – after Carvalho refused to authorize a ransom payment – and the overwhelming majority of students, parents and staff can breathe easy, the superintendent said.
“Based on what we’ve seen, there’s no evidence of a widespread impact on truly sensitive, confidential information at this time,” Carvalho said. “The release was actually more limited than we originally anticipated.”
hacker were able to confiscate and release archived student information largely from 2013 to 2016, including attendance dates, academic information and addresses, Carvalho said at a downtown news conference.
But he warned there will be “runaways”. Some Private information was released, including tax forms and passports, mostly from people associated with the district’s private contractors.
“We see no systematic evidence that information was breached,” he said.
Anyone whose data has been breached will be contacted and the district will provide credit monitoring services, he said.
The full review of the leaked documents, which began Sunday, could take another week as they have to be analyzed piece by piece, said Soheil Katal, the school system’s chief information officer. After that, it could take weeks to contact data subjects because much of the data is archival in nature or consists of digital bits and pieces, he said — a characterization consistent with a Times review of the data on the dark web.
The press conference came at the end of the first day of school after hackers released sensitive information over the weekend. Many parents and staff said they were frustrated by a lack of communication and concerned about what private information hackers might have about them or their children, including medical information and finances.
District officials attempted to address those concerns late Monday afternoon by sending out an email and phone update across the district.
Hackers calling themselves the Vice Society released the documents on Saturday — two days before the deadline for a ransom payment — after Carvalho made it clear the county would not pay.
The computer system that has been most compromised is in the facilities department, making private information of construction and maintenance companies particularly vulnerable.
Technology specialists who have reviewed some of the released documents — and who have provided screenshots reviewed by the Times — have previously indicated there is cause for concern. Documents include W-9 forms, which contain social security numbers, and other forms expressly used to collect sensitive information.
A Times review of just a fraction of the vast treasure trove corroborated the specialists’ reviews and found a report on an employee’s criminal record and pending cases. There is also salary information for a major contractor and one of his subcontractors. A tech site reported finding psychological reports and sentencing records. Also, more everyday materials were released: building maintenance logs, photos from a camping trip, audio files to play for staff birthdays.
The attack happened over Labor Day weekend. LA Unified technicians spotted and cut off the attack while it was underway on September 3; otherwise the system damage and data theft could have been much worse.
Still, the hackers gained some access to the student information system, which includes grades, coursework, disciplinary records, and disability status.
“I am so disgusted by this act against the most vulnerable members of our society,” said Alicia Montgomery, director of the Center for Powerful Public Schools, a local advocacy group.
Montgomery was particularly outraged at the impact on LA Unified and other targeted school systems amid recovery efforts from the COVID-19 pandemic.
“To think they’re just holding districts across the country hostage — hampering academic instruction and growth at a time when we’re all trying to mitigate the damage of two years of emergency tuition is bad enough. But to add insult to injury, they sell information about children,” she said. “It’s just so despicable.”
Parents expressed frustration on Monday.
Charlotte McPherson, whose 8-year-old daughter attends Woodland Hills Elementary School, said she felt the district was unclear and inconsistent when it came to what information was compromised.
“Shouldn’t the agency that is entrusted with my child and their information be the one responsible for communication?” asked McPherson, who has been a victim of identity theft and worries her daughter could be one too.
The school system has been posting general updates on social media, but McPherson was unhappy she hadn’t received a more explicit notice: “If there is a direct threat that my child’s medical information or any of their demographics will be released, the district should speak up me that.”
She also worries about the impact on employees.
“If there is [Social Security numbers] and compromised information for teachers and educators, what kind of confidence does this give them in their district? We’re already losing teachers,” she said.
Also unhappy was Jenna Schwartz, co-founder of the Facebook group Parents Supporting Teachers, who issued a statement Monday.
“LAUSD communications have dwindled to almost nothing with the current administration,” the statement said, in part. “Superintendent Carvalho only communicates with his immediate team or through social media. … Families and employees live in a world of darkness.”
Some parents tried to be patient.
“As a new parent to LAUSD — friendly student — I’m very concerned, but I’ll wait for more information to come,” said Nancy Montes. “I trust the teachers and staff at my child’s school.”
Part of the attack was the theft of data. Another was trying to encrypt systems and make them unusable.
Carvalho said all systems affecting students and parents were up and running within a week of the Sept. 3 cyberattack, but many parents struggled.
Elizabeth Hernandez, who has a 14-year-old and an 8-year-old child, said she cannot access the district’s parent portal. As a result, she was unable to apply to volunteer at her children’s schools.
She, too, is concerned about posting private information: “We’re not sure because we’re not told what’s really going on.”
She wonders how committed the school system will be to addressing the identity theft that will crop up years from now as a result of the hack.
“I don’t know what kind of problems this will cause in the future for my kids or anyone in the school district,” she said. “The future problems worry me more.”
Still, Hernandez agrees with the district’s decision not to pay the ransom, she said.
Emily Bañales, who has three children in LAUSD schools, would have preferred the district to cover the cost. She also worries about the impact the hack will have on her children years from now, perhaps when they turn 18 or apply for a credit card.
“How will that affect them five years from now, ten years from now when they leave high school and try to go to college?” asked Bañales, who lives in Pacoima.
An incident response line was blocked Monday when it first became available at 6am. The news radio KNX reported waiting times of at least 45 minutes at an early stage; An early afternoon check by the Times revealed a wait of 20 minutes.
The employee who responded said she works for an outside company that was brought in to help with the hotline. The hotline at (855) 926-1129 is available Monday through Friday from 6:00 a.m. to 3:30 p.m
For now, callers are being told to wait while the district determines if they have been victimized and what is the best way to do about it. The district has agreed to help with credit monitoring and other services.
One parent met the situation with black humor.
“If my kid’s online homework from the last few years becomes popular on the dark web, I want a profit cut to compensate for the premature destruction of their credit rating,” she said.
https://www.latimes.com/california/story/2022-10-03/lausd-parents-angry-cyberattack-data-release Carvalho: No wide release of data in L.A. school cyberattack