(Image source: LAUSD, n.d.)
One-sentence summary:
2,000 sensitive student records at Los Angeles Unified School District were breached, among other sensitive records, in 2022 by Vice Society after a ransomware attack.
Who was involved?
2,000+ LAUSD students, Vice Society, LAUSD, FBI, White House, CISA, et al. (LAUSD, 2022).
What was the timeline?
July 31, 2022: Initial access was made by Vice Society into LAUSD information systems.
September 3, 2022: Vice Society is detected by IT staff, and containment was bristly undertaken (Blume, 2022, para. 19). It is unclear when the ransomware was deployed.
September 5, 2022: LAUSD made its first press release online announcing the breach (LAUSD, 2022).
September 30, 2022: Stolen data is allegedly published online (Page, 2022, para. 8).
October 4, 2022: Original deadline for the ransom (Blume, 2022).
January 9, 2023: Laborer and payroll system data were found to be included in the data breach.
January 17, 2023: LAUSD provided the Office of the Attorney General of California with its data breach notification report (Office of the Attorney General, 2023).
February 22, 2023: LAUSD announced that 2,000+ student records were breached.
What occurred?
Vice Society, a Russian ransomware group, breached Los Angeles Unified School District (LAUSD) information systems on July 31, 2022, with the probable intention to deploy ransomware and exfiltrate data. They remained in the environment for over a month before being detected and deployed ransomware while exfiltrating student, payroll, and contractor data (Los Angeles Unified School District, 2023, p. 1; Blume, 2023). The stolen data was apparently published online by Vice Society due to CISA’s intervention and advisement “not to pay” (Page, 2022, paras. 5-7). Data published included “personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records” (Blume, 2023, para. 4).
Estimated costs:
M-F call center costs (since October 2, 2022) (Los Angeles Unified School District, 2023, p. 2).
“Independent Information Technology Task Force” “composed of cybersecurity experts from top private and public sectors” (LAUSD, 2022, para. 3).
Operational disruptions: “600,000 users had to reset passwords” and “tripwires” during recovery (Blume, 2022, paras. 19-20).
2,000+ one-year memberships to Experian®’s IdentityWorksSM (Los Angeles Unified School District, 2023, p. 2)
Involved laws:
Federal: FERPA, HIPAA, and HITECH.
State: CCPA and Cal. Civ. Code § 1798.29(a)
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
Blume, H. (2022, October 1). Hackers set Monday deadline for LAUSD data release. Los Angeles Times. Retrieved February 24, 2023, from https://www.latimes.com/california/story/2022-09-30/hackers-set-monday-deadline-for-lausd-to-pay-up-or-have-private-data-posted-on-dark-web
Blume, H. (2023, February 23). LAUSD cyberattack includes at least 2,000 student records. Los Angeles Times. Retrieved February 24, 2023, from https://www.latimes.com/california/story/2023-02-22/lausd-cyber-attack-includes-at-least-2-000-student-records
LAUSD. (n.d.). announcement – strategic plan.jpg. lausd.net. https://achieve.lausd.net//cms/lib/CA01000043/Centricity/Domain/4/announcement%20-%20strategic%20plan.jpg
LAUSD. (2022, September 5). Los Angeles Unified School District / Homepage. LAUSD Unified. Retrieved February 24, 2023, from https://achieve.lausd.net/Page/0?PageType=3
Los Angeles Unified School District. (2023). NOTICE OF DATA BREACH. In Office of the Attorney General. Office of the Attorney General. Retrieved February 24, 2023, from https://oag.ca.gov/system/files/LAUSD%20-%20Notification.pdf
Office of the Attorney General. (2023, January 17). Search Data Security Breaches. State of California – Department of Justice – Office of the Attorney General. Retrieved February 24, 2023, from https://oag.ca.gov/privacy/databreach/list
Page, C. (2022, October 3). Hackers leak 500GB trove of data stolen during LAUSD ransomware attack. TechCrunch. Retrieved February 24, 2023, from https://techcrunch.com/2022/10/03/los-angeles-school-district-ransomware-data/