LA officials confirm ransomware group leaked students’ personal data

Hackers with the Vice Society ransomware group have leaked a portion of the 500 GBs of data that they stole last month from the Los Angeles Unified School District, the superintendent confirmed on Sunday. The information relates to the district’s students, employees and more. 

“Unfortunately, as expected, data was recently released by a criminal organization,” said Alberto Carvalho, LAUSD superintendent. “In partnership with law enforcement, our experts are analyzing the full extent of this data release.” 

Carvalho told the L.A. Times that any ransom demand would be “absurd” but that the one they received was particularly “insulting,” leading them to cut off negotiations. 

“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate,” he said in a follow up statement. 

Thank you to our students, families and employees for doing their part in the ongoing recovery from this cyberattack. pic.twitter.com/K8VhiFmSbL

— Alberto M. Carvalho (@LAUSDSup) October 2, 2022

LAUSD is the second-largest school district in the country and last year served an estimated 574,570 students across early education, elementary, secondary, and adult education classes, according to the district’s data. It operates more than 1,400 schools and educational centers, while employing more than 73,000 people. 

It is still officially unclear what data was stolen, but experts from cybersecurity firm Check Point told The Record that in examining the leaks, they found over 248,000 files of different kinds of data.

"We’re seeing SSNs, contracts, invoices, passports and more," the researchers said, sharing several samples of W-9 forms and contracts from the leak.

A law enforcement official also told NBC that the trove may include psychological evaluations of children. Carvalho has previously denied that sensitive employee information was stolen.

On Friday, the school district released a statement explaining that they are still working with law enforcement agencies on figuring out what was taken.

"As stated, we do not believe that employee healthcare and payroll have been impacted and safety and emergency mechanisms remain in place,” LAUSD said. 

Vice Society jumps gun

The Vice Society ransomware group took credit for the attack weeks ago, and appears to have leaked the data it stole from LAUSD two days ahead of a deadline it imposed to pay a ransom, which was set for Monday.

In a statement attached to the post leaking the sensitive data, the ransomware gang explicitly called out the Cybersecurity and Infrastructure Security Agency (CISA). 

“CISA wasted our time, we waste CISA reputation,” the group wrote. 

CISA and the FBI have worked with LAUSD officials on the response to the crisis since the hack emerged on September 3.

CISA declined to comment about Vice Society’s message, but shared a statement from CISA's Executive Assistant Director for Cybersecurity Eric Goldstein.

“CISA worked closely with the Los Angeles Unified School District (LAUSD), as well as the FBI, Department of Education, and local law enforcement in response to this ransomware incident," he said.

"LAUSD took swift action to report this incident to federal agencies, collaborate with key partners to mitigate further risk, and communicate transparently – all key steps for effective response to cybersecurity incidents."

The FBI, CISA and other agencies noted in an alert in September that Vice Society has “disproportionately” attacked dozens of educational institutions over the last year and stepped up its level of attacks this fall. 

Emsisoft threat analyst Brett Callow – a ransomware expert tracking attacks on school districts – said Vice Society has attacked at least 8 other U.S. educational institutions so far this year.

He added that the message to CISA was notable because it reiterated a demand many ransomware gangs have, to not call the police.

“CISA can help victims; gangs don’t want victims to have help,” he said. “The gangs want victims to go it alone as they then have a better chance of being paid and, consequently, they seek to undermine confidence in law enforcement.”

Rebecca Moody, head of data research at Comparitech, told The Record that in the last couple of months, Vice Society claims to have attacked the School District of Elmbrook in Wisconsin, Sierra College in California, Linn-Mar School District in Iowa, and Grand Valley State University in Michigan. 

“As our recent research found, these attacks have devastating impacts on schools and colleges,” she said. 

“These attacks not only put student records at risk but the downtime and recovery costs of these attacks often cost millions of dollars. Based on these recent findings, the impact on LAUSD could have cost tens of millions of dollars in downtime alone.”

The school district plans to offer affected victims access to credit monitoring services but did not respond to requests for comment about how long that offer would last. On Monday, they opened a hotline for students and parents with questions about the breach.  

There have already been 103 ransomware attacks on educational institutions so far this year, according to data tracked by Recorded Future ransomware expert Allan Liska, and a Government Accountability Office report released last November warned that schools were increasingly victims of ransomware attacks.

The report urged the Department of Education to update its guidance to schools about digital security risks, which was last issued in 2010.