What happened in the Los Angeles Unified School District cyberattack?

Catherine Garcia, Night editor
·4 min read
A laptop.
A laptop. Illustrated | Getty Images

The Los Angeles Unified School District — the second-largest district in the United States — fell victim to a cyberattack in early September. On Saturday, after LAUSD Superintendent Alberto Carvalho refused to pay a ransom, the hackers released some of the stolen data onto the dark web. Here's everything you need to know:

How did the cyberattack unfold?

On Sept. 3, LAUSD technicians saw that a cyberattack was in progress and cut it off; if they hadn't acted as quickly as they did, Carvalho said, the situation would have been a lot worse. Officials revealed there were two parts to the attack — the stealing of data and the encryption of some data to make it inaccessible — and it's not yet clear if "human error" caused the breach or if it was "a systemic failure on the part of a third-party entity" connected to the system. Carvalho acknowledged that the district may never find out how this happened.

In the wake of the attack, most of the district's computer systems were shut down, and employees and students were asked to make new passwords. Last week, Carvalho announced the district had received a ransom request from the hackers, "and we have been responsive without engaging in any type of negotiations." He added: "We have not responded to that demand." He did not reveal the ransom amount.

The hackers, who call themselves the Vice Society, made an announcement on the dark web warning that if the ransom wasn't paid, they would begin publishing information obtained in the hack on Monday. Carvalho again refused, with the district saying Friday that paying ransom "never guarantees the full recovery of data" and "public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate." The next day, sensitive information from the district's system was released on the dark web.

What information is now on the dark web?

The Los Angeles Times said Monday it had scanned the documents and found some identifiable information on minors, as well as records of disciplinary actions against building and grounds workers dating back to 2008 and 2009. The LAUSD's analysts and law enforcement officials have reviewed about two-thirds of the data, and Carvalho said Monday that "based on what we have seen, there is at this point no evidence of widespread impact as far as truly sensitive, confidential information. The release was actually more limited than what we had originally anticipated."

Because every document requires close analysis, LAUSD's chief information officer, Soheil Katal, said it could take another week to review the leaked material. Carvalho also conceded that the hackers could be holding onto more sensitive information to release in the future.

How much data was involved?

The LAUSD has 1.6 million gigabytes of data in its system, and officials said the hackers were able to obtain about 500 gigabytes. The computer system belonging to the Facilities Services Division, which oversees maintenance and construction, was the most compromised, per the Times.

What does the LAUSD know about the hackers?

The hackers used servers based in Canada, Germany, and the Netherlands, Carvalho said Monday, and "based on available information, it is quite likely that this entity operates within the geographic boundaries of Russia."

What are LAUSD employees and parents saying?

Many have expressed their frustration over a lack of communication from the district, the Times reports, and are worried about their information — or their children's — being exposed. Others are saving their ire for the hackers. "I am so disgusted by this act against the most vulnerable members of our society," Alicia Montgomery, head of the advocacy group Center for Powerful Public Schools, told the Times. "To think they are just holding districts across the country hostage — impeding academic instruction and growth at a time when we are all trying to mitigate the harm from two years of emergency instruction is bad enough. But to add insult to injury, they are selling information about children. This is just so despicable," she said.

The district said anyone whose data was affected will be contacted and offered credit monitoring services, and that a hotline has been set up to provide assistance.

Has there been an increase in cyberattacks involving U.S. schools?

The LAUSD attack was the 50th attack on the education sector this year, cybersecurity firm Emsisoft told CNN. In January, Albuquerque Public Schools had to cancel classes for two days following a cyberattack, which affected its systems containing information on student emergency contacts. Brett Callow, a threat analyst with Emsisoft, told the Times that schools are in "a very tough position. People want them to be spending money on educating kids, and dedicating millions of bucks to additional IT security measures and IT staff may not be the most politically popular decisions, until something like this happens."

You may also like

Lizzo invited for an encore flute performance at James Madison's home

Russian war reporters warn Ukraine is threatening thin, fragile defensive lines in southern Kherson

Survey reveals less than half of Americans plan to get flu shot this season