(Image credits: Long Beach Unified School District, n.d.)
One-sentence summary:
130,000 Long Beach Unified School District (LBUSD) students had their PII (personally identifiable information) breached on the dark web in February 2023.
Who was involved?
Approximately 130,000 LBUSD students, LBUSD, and at least three adversaries (Callow, 2023).
What was the timeline?
February 21, 2023: Hacker “mud” releases the database on the dark web.
February 22, 2023: Brett Callow posts a screenshot of the leak on Twitter. LBUSD confirms the breach to parents via email (Hutchings, 2023 para. 2).
What occurred?
On or before February 21, several hackers (mud, project district, and [redacted]) breached LBUSD’s insecure “Google Directory” and exfiltrated over 130,744 student names, email addresses, and school IDs (Callow, 2023). The information was published on the dark web (Callow, 2023).
Estimated costs:
TBA.
Involved laws:
Federal: FERPA (U.S. Department of Education, n.d.).
State: CCPA, Cal. Civ. Code § 1798.29.
Root cause:
Per the attackers, insecure Google Directory and weak passwords (Callow, 2023).
Lessons learned:
Audit sensitive directories and other databases for secure configurations. Use automated monitoring and response solutions to quickly detect and revert changes. Enforce strong password policies on all users and audit passwords with tools such as John the Ripper.
Sources:
Callow, B. (2023, February 22). Data purportedly stolen from Long Beach Unified School District has been posted to a hacker forum. #LBUSD [Comment on “twitter.com”]. https://twitter.com/BrettCallow/status/1628526013096546304/photo/1
Hutchings, K. (2023, February 23). Hacker Steals, Posts Data from Long Beach Schools. GovTech. Retrieved February 25, 2023, from https://www.govtech.com/education/k-12/hacker-steals-posts-data-from-long-beach-schools
Long Beach Unified School District. (n.d.). Marketing and Media Services. lbschools.net. https://www.lbschools.net/Departments/MMS/downloads.cfm
U.S. Department of Education. (n.d.). Personally Identifiable Information for Education Records | Protecting Student Privacy. studentprivacy.ed.gov. Retrieved February 25, 2023, from https://studentprivacy.ed.gov/content/personally-identifiable-information-education-records