Los Angeles Unified Caught In Cyberattack — Here's What Happens Next
Los Angeles Unified school officials shut down all of the district’s vital online systems over the weekend in an attempt to contain a ransomware cyberattack, district officials announced Tuesday.
The shutdown left many of LAUSD’s 27,000 teachers and administrators to fend for themselves in the classroom without several critical and basic systems — from email, to student records, to instructional files — as they navigated a tedious, slow-moving process of restoring their access throughout the day Tuesday.
However, LAUSD officials expressed cautious optimism that these drastic steps prevented the attack from compromising sensitive student or staff records — though Superintendent Alberto Carvalho also noted that it was too early in the investigation to definitively rule out a breach.
“By shutting down all of the systems,” Carvalho said during a midday press conference, “we were able to stop the propagation of this effect, restricting its potential damage. That was the right call at the right moment.”
Just How Serious Is This?
Ransomware attacks pose a serious threat to workplaces and institutions of all sizes. The attacks have the potential to render entire computer systems unusable, and untangling their effects — which are often launched by hackers who demand ransom fees in exchange for restoring access — is a costly and time-consuming process.
Carvalho said LAUSD did not receive a ransom demand during this attack, but officials are treating the intrusion as a “likely criminal” act.
The superintendent saw the incident as serious enough to involve both the White House and an unnamed individual on the National Security Council. Over the weekend, agents from the FBI and officials with the federal departments of Homeland Security and Education joined the local law enforcement response.
Officials said LAUSD’s online systems are largely operational again. To regain access to those systems, teachers, students and parents will only need to reset their “Single Sign-On” password — while on an LAUSD campus.
“All the systems are already working,” said Soheil Katal, LAUSD’s Chief Information Officer. “The key is the password. They set up the password, they get to the network. They get to the network, they can get to the applications.”
However, with roughly 700,000 passwords to reset, and limited bandwidth on Microsoft’s end to reset them, Katal acknowledged this process will take time.
What Was It Like In LAUSD Schools On Tuesday?
There were early signs that the return from the long Labor Day weekend might be rocky.
Last Thursday afternoon, many teachers reported trouble accessing MiSiS, the district’s custom-built student data system where teachers enter class attendance — though Katal said those interruptions were unrelated to the cyberattack, and may have coincided with planned maintenance on the system.
As LAUSD officials looked to reassure parents that schools would continue to operate Tuesday, it was also clear from the district’s statement that the response to the attack — if only to figure out how to prevent a future malware incident from occurring — will take months.
LAUSD’s statement included the following actions it said it was taking immediately or "as soon as feasible":
- Charging an independent IT task force with delivering “a set of recommendations within 90 days”
- Directing a “technology advisor” to conduct an overall review of data center operations
- Tasking an "advisory council" with advising on best practices and systems
- Deploying an “expert team” to assess and "support the implementation of immediate solutions"
- A “full scale reorganization of departments and systems to build coherence and bolster district data safeguards”
- Appropriating “any necessary funding” needed to beef up the district’s IT infrastructure
LAUSD identified the attack itself around 10:30 p.m. Saturday, Carvalho said.
Over the weekend, many teachers noticed interruptions in their ability to access MiSiS and other LAUSD systems like email and Google Drive.
On Labor Day, sixth grade history and English teacher Pedro Lemus said he suddenly lost access to the slides he was preparing for Tuesday’s classes. His colleagues were abuzz with speculation about a possible intrusion by hackers — though district officials, in consultation with law enforcement, decided not to publicly confirm that a cyberattack had occurred until late Monday night.
“It really was very jarring to be like, ‘Whoa … is our Drive safe now?’ There was a lot of confusion,” said Lemus, who teaches at George Washington Carver Middle School in Historic South Central.
Despite the attack, LAUSD officials promised that campuses would be open on Tuesday, cafeterias would serve food, IT staff would be available. And teachers would continue teaching, even if many would not necessarily agree with Carvalho that it was a “fairly normal” school day.
Amber Schwinmann, who teaches special education at LAUSD’s Germain Academy in Chatsworth, said online videos and music are critical in meeting the needs of her early elementary-aged students in the core autism program.
“They enjoy a lot of visuals,” Schwinmann explained. “That’s why we do a lot of internet-based stuff. We have a lot of videos that we watch that are language-based and getting them to communicate. That is so important for my kids.”
Schwinmann said she wasn’t able to access these online systems until just after noon Tuesday, when she was able to reset her password. By then, only an hour remained in her school day — and most of her students, who don’t adjust easily to changes in routine, had been having a tough time with the disruption.
Don Luong, an eighth grade history teacher at Gage Middle School in Huntington Park, wondered if his students noticed he was winging it on Tuesday.
Luong had paper rosters printed so he could take attendance with paper and pencil. He had photocopies of his materials ready. Though he had planned to walk students through a video he’d embedded into an inaccessible district site, Luong found a version of the video on YouTube and used that instead.
Would Tuesday’s interruptions derail instruction? “I would imagine it depends on the teacher and how tech-savvy they are,” Luong said.
Lemus felt his students could tell. While his English classes were reading a novel and working with paper-and-pencil materials on Tuesday, the outage in Google Drive over the weekend left him without a slideshow he’d been hoping to use during his history classes.
“I was honest with everybody,” the second-year teacher told his class. “‘Hey folks, I had all my slides ready to go.' We were supposed to be able to use our Chromebook today — but sorry we're back to pen and paper … I was very transparent with them, and I could tell that they knew that I was flustered.”
Lemus showed up at 7 a.m. on Tuesday morning — an hour before his classes started, just as instructions from the district said — intending to reset his password. He waited on the phone with IT for a half hour, only to be told they couldn’t submit a help desk ticket because their systems were down, too. He reset his password once at midday, only for it to stop working shortly thereafter. It ultimately took three reset attempts for Lemus to get back online.
“I woke up extra early, I got here at 7 a.m. to make sure that I had an hour of prep time to get the lessons going and [fulfill the district’s] promise of, ‘We're going to have this up and running, Tuesday’s going to be an instructional day.’” Lemus said. “That did not happen.”
Ransomware Attacks Are (Surprisingly?) Common In Schools
Cyberattacks on education institutions have become commonplace. One report from the online privacy and cybersecurity research firm Comparitech found 67 ransomware attacks that targeted schools and colleges in 2021, costing an estimated $3 billion in downtime alone.
Another count from Emsisoft threat analyst Brett Callow said the attack on LAUSD would be the 50th to target an education sector entity this year.
“Ransomware gangs are nothing if not predictable,” Callow explained. “If they find they can make money by targeting a particular sector, they’ll target it over and over again until it ceases to be profitable.”
Ransomware attacks lock users out while encrypting all of their data stored in an online system, effectively locking it away. Only the hackers hold the key to unlocking that data and restoring access, and they’ll demand a ransom in exchange for that key. Sometimes they’ll also steal the data before encrypting it, and threaten to release sensitive information unless they receive additional payment.
Educational institutions are prime targets for such attacks — and they’ve proven willing to pay these ransoms — explained Comparitech editor Paul Bischoff.
Two major factors have made school districts such lucrative targets. First, schools are “filled with teachers who are not IT professionals but still have to interact with systems all day — which makes them easier targets,” Bischoff said.
Second, when cyberattacks shutter schools’ systems, “the urgency of getting things back online” takes over. In California, school funding is tied to daily school attendance — so schools are more likely to pay the ransom because a prolonged school closure could cost more than the hackers’ demands.
One of the most vexing elements to Bischoff about these cyberattacks on schools, universities, and hospitals: rarely do any of these institutions involve law enforcement in the response.
“This is one of the things that’s really befuddled me,” he said. “Maybe they don’t feel that police have anything to really do about it. There may be no way to track it. It’s just not that common for police to get involved.”
By contrast, LAUSD’s press conference featured lots of law enforcement brass: the head of the FBI’s Los Angeles field office, Donald Alway; L.A. Police Chief Michel Moore; and the interim chief of the school district’s own police department, Steve Zipperman.
The response to the attack has been a collaborative effort, Carvalho said.
Mayor Eric Garcetti also spoke at the press conference, calling the attack a “wake-up call” for entities large and small across the city to revisit their cybersecurity policies.
“Our enemies are talking to each other all the time,” the mayor said, “but we sometimes — because companies see rivals or competition — don't share information. The good guys need to be sharing information just as the bad guys do.”