Hackers release LAUSD data after ransom denied

Hackers have released some data stolen in a cyberattack against the Los Angeles Unified School District, officials confirmed Sunday.

The data was released Saturday — two days before a deadline previously given by the hackers — in an apparent response to LAUSD Superintendent Alberto Carvalho's stated refusal to pay ransom to an international hacking syndicate, the Los Angeles Times reported.

The newspaper said it reviewed screenshots from the hack that appeared to show some Social Security numbers, but the full extent of the release was not clear.

District spokeswoman Shannon Haber would not confirm the release when reached by City News Service on Sunday.

The group claiming responsibility for the cyberattack had set a Monday deadline for the district to pay a ransom to the organization.

In a dark web post detected and reprinted by Brett Callow of the cybersecurity firm Emsisoft, the hacking syndicate Vice Society listed the LAUSD as one of "our partners," and stated, "The papers will be published by London time on October 4, 2022 at 12:00 a.m."

The post did not give any indication about what information had been obtained or what would be published.

Carvalho previously acknowledged that the district received a ransom demand from the group responsible for the Labor Day weekend hack -- which he declined to name.

"We can acknowledge ... that there has been communication from this actor (hacker) and we have been responsive without engaging in any type of negotiations," he told reporters. "With that said, we can acknowledge at this point ... that a financial demand has been made by this entity. We have not responded to that demand."

He did not provide specifics about the demand.

Carvalho told The Times on Friday the district will not pay the ransom demand or negotiate with the hackers.

"What I can tell you is that the demand -- any demand -- would be absurd," he told the Times. "But this level of demand was, quite frankly, insulting. And we're not about to enter into negotiations with that type of entity."

The district issued a statement Friday afternoon acknowledging the threatened information dump, and indicated it is "diligently working with investigators and law enforcement to determine what information was impacted and to whom it belongs."

After discovering the hack, LAUSD officials took the extraordinary step of shutting down most of its computer systems while they worked to assess the full extent of the cyber intrusion. Systems were then slowly brought back online.

Carvalho said earlier the hackers appeared to have planted a series of digital "tripwires" that could have disabled more systems, so the district was being cautious about bringing computers back online.

No classes or other district operations have been impacted by the cyberattack, officials said. Students and staff, however, have been forced to reset their district passwords -- a monumental task for the nation's second- largest school district.

District officials said earlier that the attack temporarily interfered with the LAUSD website and email system. But officials said employee health care and payroll were not affected, nor did the hack impact safety and emergency mechanisms in place at schools.

It was unclear whether the receipt of a ransom demand weeks after the initial attack was an indication the hackers obtained or could potentially obtain more sensitive information. Carvalho said officials do not believe any highly sensitive information was accessed.

"This entity did touch our MiSiS (My Integrated Student Information) System, which contains student information," Carvalho said. "To the best of our knowledge at this point ... we believe that some of the data that was accessed may have some students' names, may have some degree of attendance data, but more than likely lacks personally identifiable information or very sensitive health information or Social Security number information."

He said there is no sign that any sensitive employee information was accessed.

"This is the sad but new reality we are facing," Carvalho told reporters. "We are on one hand attempting to understand how the breach took place -- was it human error, meaning someone unknowingly responded to a phishing email that allowed unauthorized access, or was it a systemic failure on the part of a third-party entity that is connected to our system that opened the door?"

In its Friday statement, district officials said, "To our school community and partners, we will update you when we have relevant information and notify you if you personal information is impacted, as appropriate. We also expect to provide credit monitoring services, as appropriate, to impacted individuals.

"... Los Angeles Unified remains firm that dollars must be used to fund students and education. Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services."

Following the hack, the district contacted federal officials, prompting the White House to mobilize a response from the U.S. Department of Education, the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, according to the LAUSD.

A hotline has been set up and will be available starting Monday at 6 a.m. to assist those who may have questions or need additional support.

The telephone number for the incident response hotline is 855-926-1129, and the hours of operation are 6:00 am to 3:30 pm PT, Monday through Friday, excluding major U.S. holidays.