Hackers have released a cache of data stolen during a cyberattack on the Los Angeles Unified School District (LAUSD) in what appears to be the largest education breach in recent years.
Vice Society, a Russian-speaking group that claimed responsibility last month for the ransomware attack that disrupted the LAUSD’s access to email, computer systems and applications, released the data stolen from the school district over the weekend. The group had previously set an October 4 deadline to pay an unspecified ransom.
The stolen data was posted to Vice Society’s dark web leak site and appears to contain personal identifiers, including passport details, social security numbers and tax forms. While londonbusinessblog.com has not yet assessed the full treasure, the published data also includes confidential information, including contract and legal documents, financial reports with bank account details, health information including COVID-19 test data, previous conviction reports, and student psychological assessments.
Vice Society, a group known for its attacks on schools and the education sector, added a message with published data stating that the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the government agency helping the school respond to the infringement, “wasted our time.”
In an email, Vice Society told londonbusinessblog.com that CISA allegedly blocked the release of data and that CISA was “wrong” to advise LAUSD not to pay the ransom. (CISA and the FBI have long discouraged victims from paying the ransom so as not to “encourage opponents to target other organizations.”) “We always delete documents and help restore the network [sic], we don’t talk about companies that paid us,” the cybercriminals said. “Now LAUSD has lost 500 GB of files.”
CISA did not immediately respond to a request for comment.
LAUSD inspector Alberto M. Carvalho confirmed the release of stolen data in a statement posted on Twitter on Sunday, along with the announcement of a new hotline starting Monday morning — (855) 926-1129 — for concerned parents and students to ask questions about the cyberattack.
Just hours before the public release of the stolen data, LAUSD posted a pronunciation on Friday, confirming that it would not pay Vice Society’s ransom demand, the amount of which is unknown.
“It is important to note that this investigation is still ongoing,” the statement said. “Los Angeles Unified remains committed to using dollars to fund students and education. Paying ransom never guarantees full recovery of data, and Los Angeles Unified believes that public dollars are better spent on our students than capitulation to a nefarious and illegal crime syndicate.”
LAUSD said it is working with law enforcement to “determine what information has been affected and to whom it belongs.” The district did not say whether it knows what data it expects to release. LAUSD is the second largest district in the United States with more than 1,000 schools and 600,000 students.
LAUSD spokesman Shannon Haber declined to comment on Friday’s statement.
According to Brett Callow, a threat analyst at Emsisoft, the Vice Society ransomware gang has attacked at least eight other US school districts, colleges and universities so far in 2022. a warning from CISA and the FBIwho said Vice Society is “disproportionately attacking the education sector with ransomware attacks.”
LAUSD said it is “continuing” with the cyber attack and “making progress towards full operational stability for several core information technology services”. Some educational institutions targeted by ransomware fail to recover at all: Lincoln College, founded in 1865, recently announced that it closed its doors after a ransomware attack last December disrupted the admissions process.