No widespread, systemic release of confidential data in LAUSD cyberattack, Carvalho says

Los Angeles, CA - September 06: Superintendent of Los Angeles Unified School District Alberto M. Carvalho speaks during a press conference at Edward R. Roybal Learning Center on Tuesday, Sept. 6, 2022, in Los Angeles, CA. There's been a major cyberattack on the Los Angeles Unified School District. Major problems over the weekend. (Francine Orr / Los Angeles Times)
Supt. Alberto M. Carvalho speaks during a Sept. 6 news conference about the cyberattack on the Los Angeles Unified School District. (Francine Orr / Los Angeles Times)

A criminal syndicate largely failed to steal valuable data from the Los Angeles Unified School District in a cyberattack, but a relatively small number of individuals have had their sensitive information released on the dark web, Supt. Alberto Carvalho said Monday.

School district and law enforcement analysts have been able to review about two-thirds of the data that were published Saturday, after Carvalho refused to authorize a ransom payment to the hackers. The overwhelming majority of students, parents and employees can breathe easier, the superintendent said.

"Based on what we have seen, there is at this point no evidence of widespread impact as far as truly sensitive, confidential information," Carvalho said. "The release was actually more limited than what we had originally anticipated."

A Times scan of the documents, which are on the dark web, largely corroborated Carvalho's assessment but also uncovered at least several complaints detailing workplace harassment and personally identifiable information of minors.

The sheer number of files released — thousands — and the lack of discernible file and folder names contribute to a daunting review process for investigators.

Even a cursory review reveals information people might not want disclosed. The Times found records of two disciplinary actions against building and grounds workers, from 2008 and 2009. There's also an incident report from June 2022 made against a plant manager detailing possible workplace harassment.

Carvalho was adamant in contesting reports of student psychological assessments being leaked, saying it did not happen. But The Times found one example, from 2005.

Even so, there is no early indication that such information was obtained en masse. Carvalho acknowledged that there are "outlier" cases of people who will have cause for concern over the disclosures.

For the most part, however, the data were not especially sensitive in nature, Carvalho said. For example, the hackers were able to seize and publish archived and incomplete student information largely from 2013 through 2016, including attendance data, academic information and addresses, he said at a downtown news conference.

Some private information includes tax forms and passports, mainly from people linked to the district's private contractors.

"We see no systemic evidence that information was breached," Carvalho said.

All those whose data were breached will be contacted, and the district will offer credit monitoring services, he said.

The full review of leaked documents, which began Sunday, could take another week because it must be analyzed piece by piece, said Soheil Katal, the school system's chief information officer. After that, it could take weeks to contact affected individuals because much of the data is archival in nature or consists of digital odds and ends, he said — a characterization that is consistent with the Times review of the dark web data.

More information came to light Monday about the attack itself. The hackers used servers based in the Netherlands, Germany and Canada.

"Based on available information, it is quite likely that this entity operates within the geographic boundaries of Russia," Carvalho said.

The attack claimed about 500 gigabytes of district data — a sizeable amount but small compared with the 1.6 million gigabytes in the district system, officials said.

The hackers, who call themselves Vice Society, leaked the documents two days ahead of their deadline for a ransom payment after Carvalho made clear that the district would not pay up.

The news conference came at the end of the first school day after the hackers released the confidential information. Many parents and employees said they were frustrated about a lack of communication and worried about what private information hackers may have on them or their children, including medical information and finances.

Officials attempted to address that concern late Monday afternoon by sending out an email and phone update districtwide.

The computer system that was most compromised is in the facilities division, putting private information from construction and maintenance contractors especially at risk. Contractors typically file W-9 forms, which include Social Security numbers, with the district. Carvalho said a "limited" number of these forms had been posted online but was unable to say how many.

The Times review also found a report on an employee's criminal record and pending cases and payroll information for a major construction contractor and one of its subcontractors. Also released were more mundane materials: building maintenance logs, photos of a camping trip, audio files to play for staff birthdays.

The attack unfolded over Labor Day weekend. L.A. Unified technicians noticed and cut off the attack while it was in progress Sept. 3; otherwise, the damage to systems and data theft would have been much worse, Carvalho said.

The attack angered those involved with the nation's second-largest school system.

“I am so disgusted by this act against the most vulnerable members of our society," said Alicia Montgomery, head of the Center for Powerful Public Schools, a locally based advocacy group.

Montgomery was especially outraged about the impact on L.A. Unified and other targeted school systems amid recovery efforts from the COVID-19 pandemic.

"To think they are just holding districts across the country hostage — impeding academic instruction and growth at a time when we are all trying to mitigate the harm from two years of emergency instruction is bad enough. But to add insult to injury, they are selling information about children," she said. "This is just so despicable."

Parents on Monday expressed frustration.

Charlotte McPherson, whose 8-year-old daughter goes to Woodland Hills Elementary School, said she feels that the district has been unclear and inconsistent in sharing what information has been compromised.

She also worries about the effect on employees.

“If there’s [Social Security numbers] and compromised information for teachers and educators, what kind of confidence does this give them in their district? We’re already losing teachers," she said.

Some parents were trying to remain patient.

"As a new parent to LAUSD — kinder student — I’m super concerned, but I’m going to wait for more information to come," said Nancy Montes. "I trust the teachers and staff at my child’s school."

One part of the attack was the theft of data. Another was an effort to encrypt systems, making them unusable.

Carvalho said all systems affecting students and parents were up and running within a week after the Sept. 3 cyberattack, but many parents have experienced ongoing problems.

Elizabeth Hernandez, who has a 14-year-old and an 8-year-old, said she was unable to access the district's parent portal. As a result, she could not apply to volunteer at her children's schools.

She wonders how committed the school system will be to addressing identity theft that emerges years from now due to the hack.

“I don’t know what type of issues this will bring in the future to my children or anyone in the school district,” she said. “The future problems are what I’m more worried about."

Even so, Hernandez agrees with the district’s decision to not pay the ransom, she said.

Emily Bañales, who has three children in LAUSD schools, would have preferred that the district pay it. She too is worried about what repercussions the hack will have on her children years from now, perhaps when they turn 18 or apply for a credit card.

“How is this going to affect them five years down the line, 10 years down the line, when they get out of high school and they try to get into college?” asked Bañales, who lives in Pacoima.

An "incident response" line was jammed Monday when it first became available at 6 a.m. KNX news radio reported wait times of at least 45 minutes early on; an early-afternoon check by The Times tallied a 20-minute wait.

The hotline, at (855) 926-1129, is open Monday through Friday from 6 a.m. to 3:30 p.m.

Carvalho advised parents and employees to wait to be contacted — which will happen if information related to them was part of the leak.

"No news is good news," he said.

One parent confronted the situation with dark humor.

"If my kid’s online homework submissions from the past couple years end up getting popular on the dark web, I would like a cut of the profits to make up for the premature destruction of her credit rating," she said.

This story originally appeared in Los Angeles Times.