Hackers released data from Los Angeles Unified School District on Saturday, a day after Supt. Alberto Carvalho said he would not negotiate with or pay a ransom to the criminal syndicate.
Some screenshots from the hack were reviewed by The Times and appear to show some Social Security numbers. But the full extent of the release remains unclear.
The release of data came two days earlier than the deadline set by the syndicate that calls itself Vice Society — and happened in apparent response to what it took as Carvalho’s final answer. Hackers demand ransom to prevent the release of private information and also to receive decryption keys to unlock computer systems.
“What I can tell you is that the demand — any demand — would be absurd,” Carvalho told The Times on Friday. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”
In a statement released later that day, he said: “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”
The extent of the data theft is now being evaluated by federal and local authorities, including the school district.
“Unfortunately, as expected, data was recently released by a criminal organization,” the school district said in a social media post Sunday. “In partnership with law enforcement, our experts are analyzing the full extent of this data release.”
Carvalho said on Friday that he believed confidential information of employees was not stolen. He was less certain about information related to students, which could include names, grades, course schedules, disciplinary records and disability status.
Some of the documents in the release appear to be forms with confidential information from the facilities services division. These forms could have been filled out either by district employees or by contractors doing work for the school system.
Some W-9 forms also appear to be in the release. The W-9 is an official form furnished by the IRS for employers or other entities to verify the name, address and tax identification number — typically a Social Security number — of an individual receiving income. Independent contractors who do work for companies or agencies they are not employed with must often provide that entity a W-9.
The district will provide assistance to anyone harmed by the release of data and has set up an “incident response” line at (855) 926-1129. Its hours of operation are 6 a.m. to 3:30 p.m., Monday through Friday, excluding major U.S. holidays.
Since the attack, which was discovered Sept. 3, the nation’s second-largest school district has worked closely with local law enforcement, the FBI and the federal Cybersecurity and Infrastructure Security Agency, or CISA.
CISA posted a warning to education institutions about Vice Society immediately after the LAUSD attack without directly confirming that the syndicate was responsible for it.
The syndicate’s original Monday deadline was posted on the dark web site maintained by Vice Society, which had informally confirmed to at least three reporters that it was responsible for the hack.
On Friday, Carvalho did not contest media accounts identifying Vice Society. He continued his previous practice of not naming the amount that is being demanded.
The claim of responsibility became official with a posting on the dark web. A screenshot shows the Vice Society logo and its catchphrase “ransomware with love.” The site lists as “partners” the entities that it claims to have victimized. These now include the L.A. Unified School District, which is listed along with the district logo.
Hackers this year have attacked at least 27 U.S. school districts and 28 colleges, said Brett Callow, threat analyst for the digital security firm Emsisoft. At least 36 of those organizations had data stolen and released online, and at least two districts and one college paid the attackers, Callow said.
Cybersecurity experts who confirmed late Saturday or early Sunday that the release had occurred included Callow and blogger Dominic Alvieri.
Vice Society alone has hit at least nine school districts and colleges or universities so far this year, per Callow’s tally.
When the LAUSD attack was discovered, district technicians quickly shut down all computer operations to limit the damage, and officials were able to open campuses as scheduled on the Tuesday after the holiday weekend. The shutdown and the hack resulted in a week of significant disruptions as more than 600,000 users had to reset passwords and systems were gradually screened for breaches and restored.
During this rebooting, technicians found so-called tripwires left behind that could have resulted in more structural damage or the further theft of data. The restoration of district systems is ongoing, but there also was another element of the attack: the exfiltration of data.
The hackers claimed to have stolen 500 gigabytes of data.
As part of its response, the district also set up a cybersecurity task force, and the school board has granted Carvalho emergency powers to take any related step he feels is necessary.
The internal systems most damaged were in the facilities division. Carvalho said it was necessary to create workarounds so that contractors could continue to be paid and repairs and construction could continue on schedule.