The district — the nation’s second-largest public school system — discovered the attack over the Labor Day weekend. It was aimed at both stealing data and disabling computer systems. In response, the district deactivated all its systems to contain the damage, and reset all student and staff passwords.
That posted data “appeared” to include materials such as Social Security numbers, passport information, tax forms, legal documents, financial reports with bank account details, health information, student psychological assessments and other items, according toTechCrunch. Perpetrators Vice Society said the collection totaled “500GB of files” and posted the data to its dark web leak site.
The ransomware actors released the data in advance of their stated Oct. 4 deadline and came “just hours” after the school district posted a Sept. 30 press release stating that it did not plan to pay, per TechCrunch.
LAUSD Superintendent Alberto Carvalho today tweeted a notice stating the district was working with partners to assess the scope of the leak and announcing a hotline to field questions from members of the school community.
“Unfortunately, as expected, data was recently released by a criminal organization,” the post said. “In partnership with law enforcement, our experts are analyzing the full extent of this data release.”
In the Sept. 30 press release, the district said it “expected” to offer credit monitoring to those impacted.
REFUSAL TO PAY
The decision over whether to pay ransomware actors’ extortion is a controversial one. The FBI discourages but does not ban paying, while a handful of states have barred public entities from complying.
On the one hand, paying makes the crime profitable, encouraging more attacks, and there’s no certainty that criminals with follow through with their end of the bargain. Victims who pay might still lose some of their data if it became corrupted during the encryption process, or the decryption keys may prove difficult to work with.
On the other hand, some organizations may find these risks outweighed by other factors. They may judge the data too sensitive to chance its exposure, for example. Entities providing critical services might also be unable to tolerate the time it takes to recover or rebuild their systems without ransomware actors’ help.
LAUSD opted against paying and had been working to get systems restored and understand the extent of the data theft, it said in its Sept. 30 release.
“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate, ” LAUSD said. “We continue to make progress toward full operational stability for several core information technology services.”
Carvalho reiterated the opinion in an Oct. 3 tweet, stating “I understand there will be many opinions on this matter but, simply said, negotiating with cyber criminals attempting to extort education dollars from our kids, teachers and staff will never be a justifiable option.”
The district has announced other efforts to bolster cybersecurity going forward, such as accelerating multifactor authentication (MFA) deployment and establishing an Independent Information Technology Task Force to review previous security audits and reports.