LA District Downplays Student Harm After Cyber Gang Posts Sensitive Data Online
Supt. Carvalho denies report student psychiatric evaluation records were exposed by Vice Society after L.A. district refuses to pay ransom demand
Support The 74's year-end campaign. Make a tax-exempt donation now.
Updated, Oct. 4
The Vice Society ransomware gang reportedly published over the weekend a trove of sensitive student records from the Los Angeles school district. The data was posted to the gang’s dark-web “leak site,” after education leaders refused to pay — and at first even acknowledge — a ransom.
Yet in a press conference Monday, Superintendent Alberto Carvalho sought to downplay the damage done, particularly as it relates to records about children. An initial news report on the data dump said that student psychiatric evaluation records had been published online, citing a confidential law enforcement source. That reporting, Carvalho said, is “absolutely incorrect.”
“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system. The “vast majority” of exposed student data, including names, academic information and personal addresses, was from a period between 2013 and 2016. “That is the extent of the student information data that we have seen.”
Roughly 500 gigabytes of district data was made public on Sunday by the Russian-speaking ransomware gang, which took credit for stealing the district records in a massive data breach last month. The full scope of the information released is unclear, yet after reviewing about two-thirds of the data, Carvalho said that “so far, based on what we’ve seen, critical health information or Social Security numbers for students,” is not included.
Carvalho confirmed in a tweet on Sunday that LAUSD’s data had been published on the dark web, but did not verify the type of data that was leaked. On Monday, he said that information from private-sector contractors, particularly those in construction, appeared most impacted. Breached records include contracts, financial information and personally identifiable data, Carvalho said.
Cybersecurity experts have warned that the release of district data could come with significant risks for current and former students. Children’s Social Security numbers are particularly valuable to identity thieves because they can be used for years without raising alarm.
James Turgal, a former executive assistant director for the FBI Information and Technology Branch, said it’s particularly important for officials to protect the sensitive data of children, who may “find out they own a condo in Bora Bora under their name 15 years from now” because their information was exploited.
Turgal, now the vice president of cyber risk and strategy at Optiv Security, praised the district’s decision to withhold payment.
“There’s no upside to ever paying a ransom,” said Turgal, “More likely than not, even if LAUSD would have paid the ransom, [Vice Society] still would have disclosed the information” on their leak site.
Carvalho made it clear in several statements the district had no intentions of paying up, possibly prompting the criminals to publish the stolen data earlier than planned. Vice Society, which took credit for a massive data breach that caused widespread disruptions at America’s second-largest school district, had initially announced plans to publish the data on Monday.
“What I can tell you is that the demand — any demand — would be absurd,” Carvalho told the Los Angeles Times. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”
In a statement, the district acknowledged that paying a ransom wouldn’t ensure the recovery of data and asserted that “public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services.”
The district announced on Sunday a new hotline available to concerned parents and students seeking information about the breach. A district spokesperson declined to comment further. The district has also not revealed details of Vice Society’s demand.
In an email to The 74, Vice Society said they published the district data because “they didn’t pay,” and acknowledged the “ransom demand was big” without providing a specific figure. Asked what makes school districts attractive victims for such attacks, the group offered a brief explanation: “Maybe news? Don’t know … We just attack it =).”
Over the weekend, they told cybersecurity journalist Jeremy Kirk that they demanded a ransom weeks earlier than district officials have publicly acknowledged. Asked about the size of the ransom, the group replied, “let’s say that it was big =).”
Since the breach was disclosed, district officials have been working with federal authorities at the FBI and Cybersecurity and Infrastructure Security Agency, which the ransomware group says has “wasted our time,” telling TechCrunch in an email that federal authorities were “wrong” to advise the district against paying.
“We always delete documents and help to restore network [sic], we don’t talk about companies that paid us,” the group told the news outlet. “Now LAUSD has lost 500GB of files.”
The 74 has not reviewed the data published to the Vice Society leak site. Doug Levin, the national director of The K12 Security Information eXchange, said Monday he was unable to independently verify information posted to the leak site, suggesting that it may have been the victim of a hack. But once the data was published online, he said, it’s impossible to rein it back in.
“You have to assume that it has been compromised by nefarious actors who have copied it down and the damage, therefore, is done,” Levin said.
For example, while Vice Society likely posted most of the data it exfiltrated onto its leak site, they may have held onto the most sensitive data like Social Security numbers to sell on a dark web marketplace, often for identity theft.
Now that sensitive data has been disclosed, the district must formally notify victims that their information was compromised and provide advice on how to best protect themselves, Levin said. The district may find themselves on the hook for as much as $100 million in medium-term recovery costs, Levin noted, to improve their cybersecurity infrastructure and work to prevent another attack in the future.
He said it’s important that affected educators, parents and students adopt strong security safeguards. The district announced plans to provide credit monitoring services to victims, but Levin said that victims should consider freezing their credit.
“The school district itself is likely going to be facing a crisis of confidence in its school community about its ability to keep data and their IT systems safe and secure,” Levin said. “Ultimately, they’re going to have to be able to answer the question of why they can be trusted to safeguard that personal information going forward.”
Sign up for the School (in)Security newsletter.
Get the most critical news and information about students' rights, safety and well-being delivered straight to your inbox.
Support The 74's year-end campaign. Make a tax-exempt donation now.