An analysis of stolen Los Angeles Unified data posted on the dark web by a criminal hacking syndicate showed no evidence that the cyberattack accessed sensitive student or staff personal data, the district superintendent said, but district parents and employees are still on edge Tuesday.
The attack appears to have been "even more limited than we originally anticipated," Superintendent Alberto Carvalho said Monday, one day after an apparently Russia-based hacking organization posted an array of stolen LAUSD data on the dark web. The posting came ahead of a previously announced Monday deadline the hacking group gave the district to pay an unspecified ransom it had demanded.
The early release of the data appeared to follow repeated assertions by Carvalho and the district that it had no intention of paying any type of ransom.
Speaking at a late afternoon news conference Monday, Carvalho said early media speculation about the contents of the hacked data was largely inaccurate -- most notably a report that psychiatric evaluations of students was posted online.
He conceded that some personal information such as Social Security numbers, passport details and other financial data involving outside contractors appeared to have been obtained and posted. But in terms of LAUSD students and staff, there was "no evidence of widespread impact as far as truly sensitive confidential information."
- LAUSD cyberattack: Carvalho says sensitive student information not made public
- Hackers release LAUSD data after ransom denied
- Investigation: Quarter of a million LAUSD files found on dark web after cyberattack
According to Carvalho, the information posted online from the Labor Day weekend hacking attack did not appear to contain any critical data involving current district employees.
As he stated previously, he confirmed that the hackers did appear to access the district's MiSiS (My Integrated Student Information) System, and they obtained some limited information such as students' names, attendance data and "some academic information." But Carvalho said that data appeared to be "archived" information dating back to 2013-16.
"We believe the vast majority of that data is not recent data," he said.
Carvalho credited the limited nature of the hacked material to the district's decision to immediately shut down the vast majority of its computer systems once staffers detected unusual activity on its servers over Labor Day weekend.
He said the move "basically stopped the intrusion."
"It was the equivalent of shutting the doors on this entity," Carvalho said.
The superintendent sought to reassure district parents and staffers about the limited nature of the information that was obtained by the hacking group -- which identified itself online as the Vice Society. But he said he understands the ongoing concern.
"We understand that this is an issue of grave concern to our community," he said.
The district on Monday morning opened a hotline for parents and staff to get information about the hacking attack. But the phone system was immediately overwhelmed with callers, some of whom waited up to an hour to get a response, and even then the available information was limited.
Carvalho said the hotline was being operated by a third-party contractor hired by the district, and he said the company was put on notice that it needed to dedicate more personnel to the line to improve its operation. Starting Tuesday, the hotline will operate from 8 a.m. to 8 p.m.
The hotline number is 855-926-1129.
During his Monday news conference, Carvalho did not name the hacking organization involved in the data theft, although he confirmed it appeared to be based entirely within Russia. He noted that the group made use of computer servers in the Netherlands, Germany and Canada.
On Friday, in a dark web post detected and reprinted by Brett Callow of the cybersecurity firm Emsisoft, the hacking syndicate Vice Society listed the LAUSD as one of "our partners," and stated, "The papers will be published by London time on October 4, 2022 at 12:00 a.m."
Carvalho confirmed last week the district had received a ransom demand from the hackers, a demand he quickly dismissed as "absurd" and "insulting." He said the district would not negotiate with the group, nor would it pay any ransom.
He stressed Monday that no negotiations occurred, either directly or indirectly.
"There were suggestions that we were not negotiating but we were using somebody behind the scenes to negotiate on our behalf. That never happened," he said.
He again expressed his insistence that the district would never waste education dollars on "subsidizing via extortion a criminal enterprise."
The district on Sunday acknowledged that the hacking group had posted stolen information online ahead of the Monday ransom deadline.
"Unfortunately, as expected, data was recently released by a criminal organization," district officials said in a statement following the posting of information. "In partnership with law enforcement, our experts are analyzing the full extent of this data release."
On Monday, the online technical news organization TechCrunch reported that it received an email from Vice Society, which accused the U.S. Cybersecurity and Infrastructure Security Agency of being "wrong" to advise the LAUSD not to pay the ransom. The organization claimed to have dumped 500 gigabytes of data, according to TechCrunch.
After discovering the Labor Day weekend hack, LAUSD officials took the extraordinary step of shutting down most of its computer systems while they worked to assess the full extent of the cyber intrusion. Systems were then slowly brought back online.
No classes or other district operations have been impacted by the cyberattack, officials said. Students and staff, however, have been forced to reset their district passwords -- a monumental task for the nation's second- largest school district.
In a Friday statement, district officials said, "To our school community and partners, we will update you when we have relevant information and notify you if you personal information is impacted, as appropriate. We also expect to provide credit monitoring services, as appropriate, to impacted individuals.
"... Los Angeles Unified remains firm that dollars must be used to fund students and education. Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services."
Following the hack, the district contacted federal officials, prompting the White House to mobilize a response from the U.S. Department of Education, the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, according to the LAUSD.