LA Unified Receives Unspecified Ransom Demand Over Cyber Attack

LA Unified Receives Unspecified Ransom Demand Over Cyber Attack
A school administrator confirms student health check data on a laptop computer as students and parents wait in line to enter school at Grant Elementary School in Los Angeles on Aug. 16, 2021. (Robyn Beck/AFP via Getty Images)
City News Service

LOS ANGELES—The Los Angeles Unified School District (LAUSD) confirmed Sept. 21 it has received a ransom demand following a Labor Day weekend cyber attack that led to a shutdown of most of the district’s computer systems.

“We can acknowledge ... that there has been communication from this actor [hacker] and we have been responsive without engaging in any type of negotiations,” Superintendent Alberto Carvalho told reporters at district headquarters Sept. 21. “With that said, we can acknowledge at this point ... that a financial demand has been made by this entity. We have not responded to that demand.”

He did not provide specifics of the demand, or identify who made it.

In the days after the hack, Carvalho said the district had not received any sort of ransom demand, although he indicated the hackers appeared to have planted a series of digital “tripwires,” which could have disabled more systems. That prompted the district to take the extraordinary step of shutting down most of its computer systems over Labor Day weekend to fully assess the extent of the hack, then slowly bring things back online.

The process also required students and staff to reset their district passwords—a laborious process for the nation’s second-largest school district.

District officials said earlier that the attack temporarily interfered with the LAUSD website and email system. But officials said employee health care and payroll were not affected, nor did the hack impact safety and emergency mechanisms in place at schools.

It was unclear if the receipt of a ransom demand weeks after the initial attack was an indication that the hackers obtained or could potentially obtain more sensitive information. Carvalho said officials do not believe any highly sensitive information was accessed.

“This entity did touch our MiSiS (My Integrated Student Information) System, which contains student information,” Carvalho said. “To the best of our knowledge at this point ... we believe that some of the data that was accessed may have some students’ names, may have some degree of attendance data, but more than likely lacks personally identifiable information or very sensitive health information or Social Security number information.”

He said there is no sign that any sensitive employee information was accessed.

“This is the sad but new reality we are facing,” Carvalho told reporters. “We are on one hand attempting to understand how the breach took place—was it human error, meaning someone unknowingly responded to a phishing email that allowed unauthorized access, or was it a systemic failure on the part of a third-party entity that is connected to our system that opened the door.”

He acknowledged that “usually these cases begin with some degree of a human failure.”

Last week, the LAUSD Board of Education approved an emergency declaration in response to the attack, authorizing Carvalho to quickly sign emergency contracts to rectify the problems without the usual drawn-out bidding requirements.

The identity of the hackers has not been released, although some reports linked the attack to a cybercriminal syndicate known as the Vice Society.

District officials first detected unusual activity Sept. 3 from an external entity, prompting the district to deactivate all its systems in an “unprecedented” move.

Subsequently, the district contacted federal officials, prompting the White House to mobilize a response from the U.S. Department of Education, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, according to the LAUSD.

Carvalho said the district did not initially know the extent of the hack, leading to the protective move of a system-wide shutdown.

The incident did not lead to any disruption of classes.

District officials said they immediately established a plan of action to provide protection in the future, “informed by top public and private sector technology and cyber security professionals.”
  • Independent Information Technology Task Force: Charged with developing a set of recommendations within 90 days, including monthly status updates.
  • Additional human resources: Deployment of IT personnel at all sites to assist with technical issues that may arise in the coming days.
  • Technology investments: Full-scale reorganization of departments and systems to build coherence and bolster data safeguards.
  • Advisory council: Charged with providing ongoing advisement on best practices and systems, including emerging technological management protocols.
  • Technology adviser: Directed to focus on security procedures and practices, as well as conduct an overall data center operations review that includes an assessment of existing technology, critical processes and current infrastructure.
  • Budget appropriation: Directed appropriation of any necessary funding to support Information Technology Division infrastructure enhancement.
  • Employee training: Develop and implement mandatory cyber security responsibility training.
  • Forensic review: Expand ongoing assistance from federal and state law enforcement entities to include a forensic review of systems.
  • Expert team: Creation and deployment of an expert team to assess needs and support the implementation of immediate solutions.
Breaking news gathering service based in West Sacramento, California, USA Gathering and distributing breaking news content via video, photographic and audio
Related Topics