An internal report identified key vulnerabilities in the Los Angeles Unified School District’s data systems, two years before hackers launched a major cyberattack that disrupted operations at the nation’s second-largest school system this week.
The report indicated that district staff agreed with the findings and committed to addressing them, but district officials did not explain Wednesday which of the recommended actions were being implemented.
The private data of more than 400,000 students could be at risk in the massive cyberattack identified late Saturday night. LA Unified weathered a full digital shutdown to open schools as scheduled Tuesday, but the school system experienced disruption to normal learning and some business operations throughout the day. Much of the district’s website remained unavailable through Wednesday.
County officials said they didn’t know if the hackers accessed student information in the county’s student management system — including assessments, grades, class schedules, disciplinary records and disability reports. However, they said they believe social security numbers, medical records and payroll information remain safe for employees.
The cybersecurity audit was released in September 2020 and was conducted by outside consultants working with district technology staff under the supervision of the district inspector general’s office.
The Times received an edited version prepared for those without security clearance. Confidential parts, including most of 38 specific findings accompanied by 38 recommendations, are not included.
Nevertheless, the report sounded the alarm in bureaucratic language. In sample tests, “auditors were able to gain access to certain sensitive information, including a limited number of social security numbers,” the report said.
Auditors were also able to obtain LAUSD passwords and “convince employees to unknowingly run malicious code.”
Numerous “high risk” areas were identified, including the structure of district systems, poor procedures, and inadequate staff safety training.
Among the issues identified in 2020:
- The technology department had not put in place a process to ensure the organization adhered to security standards.
- The district lacked adequate incident response training, for example to respond to hacking or any other emergency.
- Certain classes of computer accounts had inferior security.
On Tuesday, LA Unified Supt. Alberto Carvalho, who has been at the helm since February, announced a long list of cybersecurity measures already in place or about to be rolled out.
The 2020 report provided a general description of the LA Unified system, noting that “security is provided via multiple, redundant firewalls with content filtering and intrusion detection system capabilities.”
The main data center is located at the district headquarters on South Beaudry Avenue west of downtown and occupies an entire floor. A backup site in Van Nuys serves “as a disaster recovery site”.
The report was redacted out of concern for “highly sensitive information that could be exploited by attackers targeting the district,” the introduction said.
The hack represents a major security failure, and it could be weeks before the District learns the extent of the damage or what private data was extracted.
LA Unified is far from the only school district affected. Hackers have compromised confidential information in school systems in Las Vegas, Chicago and New York City.
In LA, a quick shutdown of district systems when the breach was discovered might have prevented much greater damage, Carvalho said Tuesday.
Emergency systems and the technological components of key operations – including food services and bus transport – were operational, giving Carvalho the confidence on Monday night to decide to open schools on a normal schedule after the Labor Day holiday.
But it wasn’t the usual.
“Recovery from the suspension has proved more challenging than initially anticipated,” officials confirmed in a statement Wednesday afternoon.
A seventh-grade teacher said Tuesday was a challenging one, with some teachers unable to reset online accounts until after school.
“Virtually everything we do during a school day depends on accessing LAUSD accounts, even how students log in to go to the bathroom during class,” she said. Due to a delay in the arrival of textbooks, students had been using digital curricula, many of which were temporarily out of reach.
And she reported an additional complication: “In order to fix errors and reset the PA system, there were often loud test noises that spontaneously interrupted the lesson.”
Parents were also concerned about the disturbances. “My son goes to Hamilton HS,” Justin Kahn said via Twitter. “He said all the classes were basically dead, no access to the coursework, and to make matters worse… Hamilton didn’t have a working air conditioner either.”
A civics teacher at a South LA school reported that the day was delightfully technology-free, resulting in one of the best days of class ever.
But parent Elizabeth Hernandez couldn’t help but worry. One of her children has a disability that requires an individual education plan for which she has submitted extensive personal information.
“It’s scary because we don’t know exactly how much information is out there,” Hernandez said. “Anyone can steal their identity.”
Since the hack, her third-grader hasn’t had any major difficulties in class, as most classroom activities at this level don’t require computer access.
But her teenager was worried about being locked out of his district account, which students use to receive, complete, and submit assignments.
The restart of district systems included resetting hundreds of thousands of passwords that had to be performed at one district site — except for about 7,000 students whose families chose remote online learning this year.
Carvalho said these students would be helped through the technology hotline, but warned there could be delays.
“Today was very messy and complicated,” a student at the Virtual Academy told the Times. She was able to get into her Zoom session, but most of the other students were locked out. She worried about inaccessible schoolwork piling up, calling Tuesday “unproductive, stressful.”
Wednesday, she said, is “completely the same” as teachers and students are still struggling to change passwords.
“My classroom/English teacher is also very lost and doesn’t even know what to do,” she said.
The student said she was on hold with the hotline for 32 minutes before accidentally disconnecting.
But workarounds were put in place by Wednesday: Teachers had students sign up to the free online Khan Academy instead of their regular platform so they could solve their math problems.
In a statement on Wednesday, Carvalho thanked the students and staff for their perseverance and patience.
“We understand that this has been a frustrating and confusing experience for many,” he said, “and our teams are working diligently to help our community regain access to all systems as soon as possible.”
Alejandra Reyes-Velarde, a Times contributor, contributed to this report.
https://www.latimes.com/california/story/2022-09-08/report-identified-key-vulnerabilities-prior-to-cyberattack-on-l-a-unified Report identified key vulnerabilities two years before cyberattack on L.A. Unified