Hackers Post Data From LAUSD Cyberattack After District Refuses To Pay Ransom. What They Appear To Have

L.A. Unified Superintendent Alberto Carvalho on Monday confirmed that a breach of sensitive data by cyberattackers had compromised the Social Security numbers of some district employees and contractors who worked in LAUSD's facilities operation.

District officials had acknowledged on Sunday that material stolen during the Labor Day weekend ransomware attack, was being released following their refusal to pay a ransom.

At a Monday afternoon news conference, Carvalho gave some details about what they know so far, including that LAUSD facilities servers were hardest hit in the attack. Hackers also released what Carvalho characterized as a limited amount of student data.

However, Carvalho also sought to reassure parents, students and staff — many of whom were angered over what they described as a lack of clear communication from LAUSD headquarters about the extent of the breach.

Carvalho stressed that the hackers had released far less data than even the district originally feared — and already, they had reason to believe a fast early response to the hack had limited some damage.

"There was not a breach of any one server that had a treasure trove of COVID vaccinations, or Social Security numbers, or health information or payroll information," Carvalho told reporters after the press conference. The release of information, he added, "has no doubt impacted some people, but not in a systemic way."

What Employee Data Do The Attackers Have?

LAist has reviewed screenshots from the website of the ransomware gang Vice Society, which multiple tech journalists have reported is responsible for the attack. On the page displaying directories of data the group allegedly stole, one folder is labeled “Secret Confidential.” Another is labeled “ssn” — apparently short for “Social Security number.”

Carvalho again declined to name Vice Society on Monday, but also didn't dispute reports they were responsible. He did say the hackers used "server systems housed in the Netherlands, Germany and Canada" and that the group "operates within geographic boundaries of Russia."

LAUSD officials stressed the overall volume of compromised data was relatively small. The hackers released around 500 gigabytes of data, the equivalent of what some laptops can contain — and about 0.1% of the district's total IT assets, according to LAUSD chief information officer Soheil Katal.

The most extensive damage from the cyberattack centered on the district's facilities systems. Though access to other LAUSD systems has been restored, most district employees still lack access to the systems that manage facilities planning, budgets, projects and contracts — even weeks after the attack.

On Monday, Carvalho said the hackers released a "significant number" of records associated with private facilities contractors. The data includes information that often appears with a W-9 form, including passport data and Social Security numbers. These employees also needed to have COVID-19 vaccination information on file, and that information was exposed.

Similar records of LAUSD staff have been found intermingled amongst the vendor information released in the attack. However, Carvalho said that employees' data was exposed on a case-by-case basis.

After reviewing more than two-thirds of the data the hackers released, Carvalho said that there's still no sign that LAUSD's employee payroll system has been compromised.

Cybersecurity experts have said the release of Social Security numbers alone isn’t necessarily cause for concern: Many Social Security numbers are already widely available for cheap on the dark web — and a Social Security number alone is not necessarily critical to stealing someone’s identity.

However, as Clifford Neuman, director of the USC Center for Computer Systems Security, said last month, “My concern is that if they’ve got access to a Social Security number, they’ve got access to a lot of other things.”

What Student Data Do The Attackers Have?

The superintendent has previously said that hackers managed to “touch” systems containing sensitive data on students.

Carvalho said Monday that the hackers likely have released all the data they managed to steal — a statement he acknowledged is difficult to make with 100% certainty, but he made it on the basis of the hackers' track record in previous cyberattacks. He again expressed cautious optimism that the extent of student data that the hackers stole was limited.

Carvalho said the district has seen evidence that some records of student names, academic grades and attendance dating from the period of 2013 to 2016 were released. The data appears to be a fragment of LAUSD's archived student records system — the predecessor to the current MiSiS database.

However, Carvalho disputed early reports that students' psychiatric evaluations were released in the hack, saying they have no evidence those records were among Sunday's data dump.

How We Got Here

The September cyberattack crippled LAUSD’s systems and disrupted classes for at least a week.

Law enforcement officials also have not named Vice Society as the perpetrator, but the federal government’s cybersecurity agency issued a warning about the group around the time of the LAUSD attack. The alert confirmed that Vice Society has targeted K-12 schools before.

On Friday, tech journalist Jeremy Kirk posted a screenshot of Vice Society’s website showing a countdown clock representing the time LAUSD had left to deliver a ransom payment. That same day, the school district issued a statement, flatly refusing to negotiate.

“Paying ransom never guarantees the full recovery of data,” the LAUSD statement read, “and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”

By Sunday morning, Vice Society had posted the data, according to a tweet from cybersecurity threat analyst Brett Callow, who’s monitored the LAUSD case since the beginning.

What Do Do If You Have More Questions

LAUSD officials have provided a phone number where operators will field questions about the cyberattack: 855-926-1129. The hotline will operate Monday through Friday, from 6 a.m. to 3:30 p.m. Pacific time.

Carvalho said that LAUSD will offer free credit monitoring to individuals affected by the hack. He also said that if the district doesn't reach out, "no news is good news."