Last month, the ransomware gang Vice Society, hacked the Los Angeles Unified School District, the second largest in the country, leaving the computer system paralysed. Two weeks after the initial attack, the perpetrators demanded money for the return of the stolen data.
Now, Vice Society has followed through on its threat, releasing 500 GB of information on its leak site on Saturday. The district’s superintendent, Alberto Carvalho, previously told the Los Angeles Times that he didn’t believe any confidential employee information had been stolen. However, Saturday’s data dump seems to contradict that account, though the full extent of the leak’s impact is unclear.
Some of the documents posted online include confidential information from school facilities workers, as well as tax forms complete with sensitive identifying information like social security numbers, according to the LA Times.
There were also reportedly folders included in the data dump that appear to contain passport information, and others labelled “Secret and Confidential,” according to a report from Bleeping Computer. Further, Police told NBC News Los Angeles that some of the files now public on Vice Society’s leak site include student psychological assessments, contracts, and business records.
Although, initially, the hackers indicated the data release date pending ransom would be October 3, the release of the data on Saturday instead came one day after Carvalho said the district wouldn’t be paying or negotiating with the hackers. From an earlier LA Times report:
“What I can tell you is that the demand — any demand — would be absurd,” Carvalho said. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”
In a statement released later, he added: “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”
Following the release of the data, Carvalho put out another statement. “In partnership with law enforcement, our experts are analysing the full extent of this data release,” he wrote and then pointed concerned community members to a newly established incident response hotline.
Thank you to our students, families and employees for doing their part in the ongoing recovery from this cyberattack. pic.twitter.com/K8VhiFmSbL
— Alberto M. Carvalho (@LAUSDSup) October 2, 2022
LAUSD is conducting an internal investigation of the hack and said it would be publishing a cybersecurity report within 90 days, according to a statement published by the district on Friday. “To our school community and partners, we will update you when we have relevant information, and notify you if your personal information is impacted, as appropriate. We also expect to provide credit monitoring services, as appropriate, to impacted individuals,” the statement said.
“This incident is a firm reminder that cybersecurity threats pose a real risk for school districts across the nation. Los Angeles Unified is not the first public school district that has been targeted and unfortunately, it will not be the last,” the news release also read. The statement urged the FCC to authorise E-Rate Program funds for use in boosting security and IT infrastructure.
The LA Unified School District encompasses more than 1,000 schools and about 600,000 students. It is second only in size to the New York City Public School district and is the largest U.S. school district to be subject to such an attack… so far. Hacks of school districts and other educational institutions have become increasingly common in recent years. In 2021 alone, 62 districts and 26 colleges were hit by ransomware attacks, according to a report from Emsisoft.