California School District Says Hackers Accessed Massive Database

Article

The Los Angeles public school system, the second-largest in the US, said an extortionist group had accessed a massive database but had not leaked as much sensitive information from it as initially feared.

Student and staff data of the Los Angeles Unified School District began appearing on the web on Sunday after it refused to pay a ransom to a group called Vice Society. The school system suffered a cyber attack on Labor day, and had been told that its data would be leaked if it didn’t pay to retrieve it.

Alberto M. Carvalho, the district’s superintendent, denied reports that psychiatric evaluations of students showed up on the web, adding that no health records were available online.

Carvalho said the hackers, who he said were possibly operating out of Russia, “touched” a massive database which included social security numbers, health records and academic scores. Only a “very, very small percentage” of the data within the school’s IT systems was downloaded, he said, when his staff discovered the attack and acted quickly.

Computer code displayed on screens arranged in Danbury, U.K., on Monday, Jan. 4, 2021. In the spring, hackers managed to insert malicious code into a software product from an IT provider called SolarWinds Corp., whose client list includes 300,000 institutions. Photographer: Chris Ratcliffe/Bloomberg

Most of the data released on the web came from an archived database of student information from 2013-2016, he said. Some personal data of private contractors and temporary workers had also been leaked.

Carvalho didn’t believe that the group would release any more data and was confident “that the experience specific to this bad actor has reached its conclusion,” he told a press conference on Monday after reiterating the district would stand by its decision to not pay a ransom.

Vice Society, which said it hacked numerous school districts across the US, is a so-called hack-and-leak group that first appeared in the summer of 2021, according to the US Cybersecurity and Infrastructure Security Agency.

On the choice of targets, the group said it hacked schools “because we can.” While it had previously bought the malicious software to target victims, it now uses its own new software, a Vice Society spokesperson said in an emailed response to questions.

CISA recently warned that the group had turned its focus from health care to education, and believed the attacks may accelerate as students return to class.