Los Angeles schools’ data leaked after ransomware attack

Dive Brief:

• Data stolen from the Los Angeles school system during a ransomware attack last month began appearing online Sunday. Vice Society, the prolific threat actor behind the attack, released data two days earlier than the deadline it set for a ransom payment.
• The potential damage caused by the data breach and leak remains unclear, but some Social Security numbers and W-9 forms were exposed, according to the Los Angeles Times. 
• The Los Angeles Unified School District has maintained employee information was not stolen, but confidential data on students and independent contractors might be compromised.

Dive Insight:

Vice Society published the stolen data two days after it listed the district on its ransomware leak site. LAUSD Superintendent Alberto Carvalho forcefully rejected the demand Friday in a public response.

“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate,” Carvalho said in the statement.

The district, the second largest in the country, has an operating budget for the 2021-2022 school year of $20 billion. The amount of the ransom demand hasn’t been disclosed.

Carvalho acknowledged data was released in a statement posted Sunday on Twitter and said the district is working with law enforcement to determine the full extent of the leak. The FBI and Cybersecurity and Infrastructure Security Agency have been assisting the district since it discovered the cyberattack in progress at 10:30 p.m. on the Saturday leading into Labor Day.

The district set up a hotline to answer questions and provide additional support. 

Vice Society posted a message with the stolen data that reads, “CISA wasted our time, we waste CISA reputation,” according to a screenshot published by Brett Callow, threat analyst at Emsisoft. Callow suggested that means CISA probably stalled the release of the data. 

“Gangs’ deadlines are meaningless,” he said via email. “They’re untrustworthy bad faith actors and if they believe they can swing the needle in their favor by releasing the data early, that’s exactly what they’ll do.”

Comments are closed.