The private data of more than 400,000 students could be at risk as state and local investigators assess the damage wrought by a massive cyberattack on the Los Angeles Unified School District, which overcame a full digital shutdown to open schools as scheduled Tuesday .
The district did not know if hackers had accessed student information—assessments, grades, class schedules, disciplinary records, disability reports—through the district’s online student management system.
“We’re still going through student files because … the student administration system was touched,” Supt. Alberto Carvalho said at a downtown news conference accompanied by Los Angeles Mayor Eric Garcetti and Los Angeles Police Commissioner Michel Moore. He said the hackers had encryption skills to cover their tracks and “lock us out of what they have or what they saw.”
“We saw no evidence of student health information or social security numbers being accessed,” Carvalho said. The payroll system also works, and personnel data have apparently not been compromised. “But any kind of access is one that concerns us.”
To underscore the gravity of the attack on the country’s second largest school district, an investigation is underway involving the FBI, the Department of Homeland Security and local law enforcement agencies. Carvalho said the attack, spotted at 10:30 p.m. Saturday, was launched by a “ransomware tool that temporarily disabled systems, froze others and had access to some data.”
There are indications the hack could have come from abroad, and Carvalho said there was no ransom demand.
“I won’t go into detail, but there are three nations that investigators have had some lead on,” Carvalho said. “But that doesn’t necessarily mean that’s where the attack came from.”
District employees quickly recognized the violation and quickly took action that could have averted an operational disaster.
If the district had lost the ability to manage its bus fleet, “over 40,000 of our students would not have been able to get to school,” Carvalho said. If meal services or payroll systems had been shut down, the impact “would have been significant, very disruptive and debilitating to our school system.”
District officials may have thwarted the worse outcome by taking the unprecedented step of shutting down all district systems. But recovering from the shutdown created problems of its own — assignments and lesson plans weren’t accessible over the weekend. And no student or staff member had access to the system until they could reset their password, a process that began around 9 a.m. Tuesday when school was already starting. The resets were not completed by the end of the school day.
School districts are vulnerable targets for a variety of reasons, including a preference to use funding for purposes other than cybersecurity and the need for online systems to provide public access. For 2021, cybersecurity company Emsisoft, which tracks cyberattacks in education and other sectors, counted 88 educational institutions affected by ransomware: 62 school districts and 26 colleges and universities.
A notable local attack targeted the Newhall school system in 2020. In May, Chicago’s public school system announced that a massive data breach had exposed four years of recordings of nearly 500,000 students and nearly 60,000 staff.
A recent cyberattack targeted a company, Illuminate Education, whose clients include LA Unified, and whose services reach “more than 17 million students” in 5,200 schools and school districts, according to its website.
LA officials said Monday there was no apparent link between the ransomware attack and the Illuminate breach.
What makes LAUSD an “attractive target” is the number of people affected when district systems become unavailable, said Clifford Neuman, director of the USC Center for Computer Systems Security. “This may make the affected organization more willing to pay a ransom to restore their systems and encourage criminals to demand larger payments.”
The hackers can demand ransoms to restore systems and prevent private data from being released publicly, as happened at the Clark County School District in Nevada.
Cybersecurity expert Brett Callow said it’s “quite possible” that quick action by LA Unified helped tremendously.
“Organizations sometimes realize they have a problem when systems start being encrypted,” said Callow, threat analyst at Emsisoft.
“However, encryption is usually the final step in an attack,” he added. In other words, by the time the district stepped in to prevent an operational collapse, a vast amount of data could already have been stolen.
Late Sunday night, officials determined that key systems were usable and Carvalho decided to open the schools on Tuesday as planned.
“No. 1 is a pretty normal school day, and that was our intention,” Carvalho told reporters at the Roybal Learning Center.
But there were problems, especially early in the day.
“Some teachers find they can change their LAUSD password and then log in, but the password page is unreachable,” said one teacher.
“I’m not able to do my job, which is making sure students attend school,” said an attendance consultant. “We have attendance papers that we will be collecting but I would normally call home or make house calls to find out the whereabouts of the students. Unfortunately, since I do not have access to their information, I cannot find out where these students are.”
Fourth grade teacher Richard Powels was able to reset his password, but his students, who had to go through the process on campus, had to wait five minutes to access the reset website, then it wouldn’t accept their credentials.
“Hopefully tomorrow will be better,” said Powels, who teaches in a magnet program at Clifford Street Elementary in Echo Park. As of Tuesday afternoon, “no students will be able to use their devices at school. We had to improvise a bit with our plans to make sure everyone is engaged and learning.”
The district only announced the attack on Monday night because, according to Carvalho, a critical assessment and response was underway and because the release of information from various agencies involved in the investigation needed to be verified.
As the district acknowledged the attack, officials also announced a series of measures to improve cybersecurity. These actions, according to the district, “have been taken, will be taken immediately, or will be implemented as soon as possible.”
The list includes:
- Establishment of an independent information technology task force. It would be tasked with developing recommendations within 90 days and providing monthly updates.
- Deploying technical staff across the vast school system to help with any issues that arise in the coming days.
- Reorganization of departments and systems “to build coherence and strengthen data protection”.
- Appointment of a Technology Expert Advisory Board and appointment of a Technology Advisor focused on security procedures and practices and a general review of data center operations.
- Increase budget as needed and improve employee training.
- Analyze systems with the help of federal and state law enforcement agencies.
Police Chief Moore said the risk of cyber attacks should not be underestimated. “It’s the #1 threat to our security, and it’s an invisible enemy and a relentless enemy,” Moore said. “It requires all of us to work together to identify these threats and these actors and take mitigation actions.
“This is a wake up call, a reminder,” added Moore, “because we are all so dependent on our cyber universe.”
Garcetti said authorities are on alert for further attacks on city networks. Highlighting the challenge posed by hackers, he said the city has to stop 1 billion cyberattacks every month: “That’s with a 2,” he said.
“We are all vulnerable to these attacks. If you’re a small business owner listening to this today, it’s not just big companies like LAUSD,” Garcetti said.
“It can and was small companies. They are medium and large companies. They are government agencies. It’s non-profit.”
https://www.latimes.com/california/story/2022-09-07/los-angeles-unified-schools-cyberattack L.A. Unified targeted in massive cyberattack