LOS ANGELES (LA SCHOOL REPORT) -- Ransomware gang reportedly published over the weekend a trove of sensitive student records from the Los Angeles school district. The data was posted to the gang’s dark-web “leak site,” after education leaders refused to pay — and at first even acknowledge — a ransom.
Roughly 500 gigabytes of district data made public by the Russian-speaking gang reportedly include students’ confidential psychological assessments and social security numbers, according to news reports. Vice Society has taken credit for stealing the district records in a massive data breach last month. The full scope of the information released is unclear.
Alberto Carvalho, the Los Angeles Unified School District superintendent, confirmed in a tweet on Sunday that LAUSD’s data had been published on the dark web, but did not verify the type of data that was leaked. Further details could come at a district press conference scheduled for Monday evening.
The data’s release carries significant risks for current and former students, cybersecurity experts said. Children’s social security numbers are particularly valuable to identity thieves because they can be used for years without raising alarm.
James Turgal, a former executive assistant director for the FBI Information and Technology Branch, said it’s particularly important for officials to protect the sensitive data of children, who may “find out they own a condo in Bora Bora under their name 15 years from now” because their information was exploited.
Turgal, now the vice president of cyber risk and strategy at Optiv Security, praised the district’s decision.
“There’s no upside to ever paying a ransom,” said Turgal, “More likely than not, even if LAUSD would have paid the ransom, [Vice Society] still would have disclosed the information” on their leak site.
Carvalho made it clear in several statements the district had no intentions of paying up, possibly prompting the criminals to publish the stolen data earlier than planned. Vice Society, which took credit for a massive data breach that caused widespread disruptions at America’s second largest school district, had initially announced plans to publish the data on Monday.
“What I can tell you is that the demand — any demand — would be absurd,” Carvalho told the Los Angeles Times. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”
In a statement, the district acknowledged that paying a ransom wouldn’t ensure the recovery of data and asserted that “public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services.”
The district announced on Sunday a new hotline available to concerned parents and students seeking information about the breach. A district spokesperson declined to comment further. The district has also not revealed details of Vice Society’s demand.
Vice Society didn’t immediately respond to questions about the leak. Over the weekend, they told cybersecurity journalist Jeremy Kirk that they demanded a ransom weeks earlier than district officials have publicly acknowledged. Asked about the size of the ransom, the group replied, “let’s say that it was big =).”
Since the breach was disclosed, district officials have been working with federal authorities at the FBI and Cybersecurity and Infrastructure Security Agency, which the ransomware group says has “wasted our time,” telling TechCrunch in an email that federal authorities were “wrong” to advise the district against paying.
“We always delete documents and help to restore network [sic], we don’t talk about companies that paid us,” the group told the news outlet. “Now LAUSD has lost 500GB of files.”
LA School Report has not reviewed the data published to the Vice Society leak site. Doug Levin, the national director of The K12 Security Information eXchange, said Monday he was unable to independently verify information posted to the leak site, suggesting that it may have been the victim of a hack. But once the data was published online, he said, it’s impossible to rein it back in.
“You have to assume that it has been compromised by nefarious actors who have copied it down and the damage, therefore, is done,” Levin said.
For example, while Vice Society likely posted most of the data it exfiltrated onto its leak site, they may have held onto the most sensitive data like social security numbers to sell on a dark web marketplace, often for identity theft.
Now that sensitive data has been disclosed, the district must formally notify victims that their information was compromised and provide advice on how to best protect themselves, Levin said. The district may find themselves on the hook for as much as $100 in medium-term recovery costs, Levin noted, to improve their cybersecurity infrastructure and work to prevent another attack in the future.
He said it’s important that affected educators, parents and students adopt strong security safeguards. The district announced plans to provide credit monitoring services to victims, but Levin said that victims should consider freezing their credit.
“The school district itself is likely going to be facing a crisis of confidence in its school community about its ability to keep data and their IT systems safe and secure,” Levin said. “Ultimately, they’re going to have to be able to answer the question of why they can be trusted to safeguard that personal information going forward.”