Securing Student Data: A Look into the LAUSD Hack and How to Protect Your School

The Los Angeles Unified School District (LAUSD) is the second-largest school district in the United States, serving over 600,000 students in more than 900 schools. On September 3, 2022, the district suffered a major cyberattack that affected several of its systems.

The attack, which is believed to have been carried out by a group of hackers, resulted in the encryption of data on the district's network, making it inaccessible to staff and students. The hackers also demanded a ransom in exchange for the decryption key.

It is believed that a cybercriminal gang used internal login credentials that had been leaked on the dark web to access LAUSD's network and launch a ransomware attack. These credentials, of which 23 were leaked, granted access to LAUSD's Virtual Private Network (VPN), which is often the first step in a ransomware attack as it provides access to other sensitive areas of the network where malware can be installed.

How did the attack happen?

The ransomware attack was executed by a group of cybercriminals known as Vice Society, who conduct their operations in Russia. Initially, Vice Society did not disclose the full extent of the attack and without any concrete evidence to the contrary, Superintendent Alberto Carvalho made an optimistic statement that the accessed data did not likely contain any personally identifiable information.

However, two weeks after the attack, the hackers issued a ransom demand which included a three-day deadline. At that time, the impact of the attack was still not entirely clear. The ransom demand likely included a proposal to reverse the encryption of critical systems that were affected by the attack.

The Los Angeles Unified School District (LAUSD) was targeted by a double extortion ransomware attack carried out by the group known as Vice Society. This type of attack involves not only encrypting critical computer systems, but also stealing sensitive data and threatening to sell it if a ransom is not paid. This creates pressure on the victims to make a ransom payment on two fronts:

• The longer critical systems are encrypted, the longer a business is unable to operate, which can lead to Service Level Agreement violations.
• If sensitive customer data is leaked, a business could face significant reputational damage.

In this instance, it appears that Vice Society did not clearly state their second extortion threat in their initial ransom demand. LAUSD, following the FBI's advice to not pay ransom, refused to pay the ransom, resulting in Vice Society publishing the stolen data on their ransomware leak blog hosted on the dark web.

The attack on the Los Angeles Unified School District (LAUSD) resulted in the exfiltration of sensitive data, which was later confirmed when Vice Society, the cybercriminal group responsible for the attack, published the stolen information on their ransomware leak blog.

This data leak highlights the link between ransomware attacks and data breaches. The group revealed to Bleeping Computer that 500GB of data was stolen from LAUSD's systems, which may include Social Security Numbers, passport information, and other confidential data. Due to the severity of the incident, the FBI, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, and local law enforcement agencies have become involved in the investigation.

Previous Ransomware Attempt 

LAUSD has previously been targeted by hackers. In 2021, the ransomware group successfully infected a computer belonging to a school psychologist with a Trickbot malware, which is used to steal credentials and financial information. Though the district was informed by a security firm of the attack, it is unknown if the specific weaknesses that allowed the attack to happen were fixed.

What can schools learn from the LAUSD Hack? 

Valuable lessons can be learned from this attack. By implementing the following into their cybersecurity program, schools could greatly reduce the impact or even prevent similar incidents like the LAUSD hack from occurring.

Implementing a data leak detection service

This can alert schools when sensitive information is leaked and quickly secure compromised accounts, lowering the risk of follow-up attacks. This service could have potentially helped LAUSD detect and secure internal credentials used in the ransomware attack.

Implement Multi-Factor Authentication (MFA)

Implementing (MFA) on accounts can make it harder for hackers to gain access to a network even if they have stolen credentials. However, MFA can still be bypassed, so it's crucial to consider and account for common methods of bypassing MFA when implementing this security measure.

Regularly backing up data

Regular backups can help organisations restore their systems and data quickly and efficiently in the event of a cyberattack.

Maintaining strong cyber security measures

Keeping software and systems up-to-date and implementing strong security protocols can help prevent cyberattacks from occurring in the first place.

Having a disaster recovery plan in place

Having a plan in place for responding to a cyberattack can help organisations minimise the disruption and damage caused by an incident.

Training employees

Regularly training employees on how to recognise and respond to cyber threats is crucial in maintaining the security of an organization.

Incident response plan

Organisations should have incident response plans in place, as it's important to contain the damage and bring the systems back online in a timely manner, minimising the disruption to student learning.

Ransom payment

Organisations should not pay the ransom as it encourages the hackers and does not guarantee the decryption of the data.

Regularly monitoring and assessing the security

Regularly monitoring and assessing the security of their networks and systems can help organizations identify and address vulnerabilities before they are exploited by hackers. Overall, the incident at LAUSD illustrates the importance of being prepared for a cyberattack and taking proactive measures to protect sensitive information and systems. 

Conclusion

The attack on LAUSD serves as a reminder of the importance of maintaining robust cybersecurity measures and being prepared to respond quickly and effectively in the event of a cyberattack. The attack, carried out by the group known as Vice Society, resulted in the encryption of data on the district's network, making it inaccessible to staff and students, and a ransom demand was made. It is believed that a cybercriminal gang used internal login credentials that had been leaked on the dark web to access LAUSD's network and launch a ransomware attack.

The incident highlights the link between ransomware attacks and data breaches, and the need for organisations to take proactive measures to protect sensitive information and systems. By implementing measures such as data leak detection service and Multi-Factor Authentication, schools can greatly reduce the impact or even prevent similar incidents from occurring. It is also important for organisations to have a disaster recovery plan in place, train employees on how to recognise and respond to cyber threats, have incident response plan in place, not pay the ransom and regularly monitor and assess the security of their networks and systems. 

Take action now and ensure your organization is protected and be prepared for a cyberattack. Sign up for a free Securiwiser account today.