LAUSD cyberattack includes at least 2,000 student records

The Los Angeles Unified School District announced Wednesday that “approximately 2,000 student assessment papers” were released to the dark web as a result of a recent cyberattack, including those for 60 who are currently enrolled.

The released records also included an unspecified number of driver’s license numbers and social security numbers. The district statement didn’t say who owned those numbers, but the school system doesn’t routinely collect Social Security numbers from students.

The confirmation came after an article by the 74 website, which alleged that detailed and sensitive mental health records of “hundreds — and likely thousands — of former Los Angeles students” were released on the dark web and “contained personally identifiable information about students.” who received special education, including their detailed medical histories, academic performance, and disciplinary records.”

The district did not directly address how many impacted students or their families were notified of the violation.

“We have already notified a number of individuals and vendors affected by this attack and will continue to notify individuals as they are identified,” the statement said.

The District also provided some additional details on the types of records that had been violated.

“Some of these records date back nearly three decades, requiring further time-consuming analysis,” the statement said. “Our review also found that positive COVID-19 test results were part of the breach. Further analysis is ongoing.”

Uncovering the consequences of such data breaches is difficult, Brett Callow, threat analyst for cybersecurity firm Emsisoft, told The Times.

“How does knowledge of extremely sensitive information impact people, including on their mental health?” said Callow. “How often is the stolen information misused? How often do third parties scrape the data and share it on other websites or social media? How often [are] People who were actually contacted in blackmail attempts?

“Unfortunately, it’s not uncommon for attacks to result in sensitive information leaking online,” he continued. “Ransomware is a bigger problem than people sometimes realize, and we really need to find better ways to counter it.”

The nature of most of the compromised records had been publicly announced months ago, with the schools of LA Supt. Alberto Carvalho calling people affected by the security breach “outliers” because the district has records of millions of people in its databases .

The new disclosures significantly increase the number of recognized victims and add details to the confidential information obtained.

It is currently believed that hackers entered the district’s computer systems as early as July 31. District technicians noticed the intrusion on September 3, the Saturday of Labor Day weekend, and responded by quickly shutting down systems to prevent further damage. After the district refused to pay a ransom to the hacker gang, which specializes in educational institutions, the hackers posted around 500 gigabytes of data on the dark web.

The hackers’ encryption of the district’s systems, leaving “tripwires” in place that could have caused further damage, and the district’s own shutdown resulted in a multi-week gradual diminishing disruption. Some technical corrections still need to be made.

Wednesday’s statement marked the second time this year that LA Unified had disclosed greater damage than previously announced.

The first instance came in January through a notification to state regulators that the intrusion likely exposed confidential information, including social security numbers, on more than 500 people working for county contractors. That notification also indicated that the breaches into LA Unified’s computer systems began more than a month earlier than district briefings had described.

That January notification was part of documentation required by the State of California and was not released until journalists found it in state records.

“Los Angeles Unified continues to investigate the impact of the September 2022 cyberattack,” read the LA Unified statement, which was attributed to Jack Kelanic, senior IT infrastructure administrator. “This is an ongoing investigation in collaboration with forensic and cybersecurity professionals, expending painstaking and diligent efforts to sift through the data, examine individual pieces, determine what information was accessed, locate the individuals concerned, and track them via resources.” informed to protect themselves. ”

He added in the statement, “The aftermath of a cyberattack is a multifaceted, dynamic process, with real-time updates often changing the direction of an investigation… Ongoing legal notifications are complex and, in many cases, complicated by the age of the files.”

District spokeswoman Shannon Haber said the district “always reported the information we had at the time,” which she says was reviewed by district attorneys and law enforcement investigators prior to the release.