K–12 Cybersecurity

LAUSD Chief Gets Unlimited Emergency Spending Powers After Vice Society Claims Stolen Data From Ransomware Attack

New details about the Labor Day weekend ransomware attack on Los Angeles Unified School District have trickled out over the past week, indicating that district officials may be negotiating with the threat actors to preserve district data stolen during the incident — and that they are definitely diving into major IT and cybersecurity upgrades.

LAUSD superintendent Alberto Carvalho shared the news of his emergency spending authority on Twitter Late Tuesday, the LAUSD school board unanimously voted to approve unfettered emergency spending authority for Superintendent Alberto Carvalho to enable a swift response and recovery as well as upgrades to the district’s IT infrastructure and cyber defenses, Carvalho said on his Twitter account.

“There is no time to wait on the strategic decisions and implementation of prudent solutions to address short- and long-term cyber-risks,” the superintendent tweeted this morning along with a link to the LA Times report on the board’s decision. Carvalho had shared a list of IT infrastructure and security improvement goals immediately after the attack was disclosed, which he will be able to immediately put into motion district-wide thanks to the emergency spending powers approved Tuesday.

A full picture of the ransomware attack’s impact and aftermath continues to come into focus. Carvalho told the LA Times after Tuesday’s board meeting, the newspaper reported today, that “the hackers had left behind silent, almost invisible tripwires with the potential to set off another chain of damage or compromised information,” which were discovered during the investigation by local and state authorities alongside the FBI and Department of Homeland Security. Those agencies also issued a warning to all U.S. school districts last week about Vice Society’s uptick in activity targeting schools.

“During the attack the facilities network was encrypted and taken down,” the Times reported today. “District officials said they prevented a similar outcome elsewhere by shutting down other systems, then bringing them back online gradually and safely. … Because the hackers compromised a significant number of passwords, officials ordered a districtwide wide reset of more than 600,000 credentials. Then technicians discovered that the password reset system was partially compromised as well — and the reset process had to slow down.”

The district has said it received no ransom demand; but Vice Society claimed the attack late last week, telling several journalists via email that it stole 500GB of sensitive data before the ransomware was detected the Saturday night before Labor Day.

The absence of a ransom demand doesn’t add up, cybersecurity experts said, noting that other districts known to be recent victims of Vice Society initially denied experiencing ransomware at all, or denied getting any ransom demand, then days or weeks later details emerged that proved otherwise. One such recent example was Iowa’s Linn-Mar School District; images of the actual demand from Vice Society were shared online by district employees after officials initially said they were simply having “technical difficulties.”

Doug Levin, national director at cybersecurity nonprofit K12SIX, is tasked with tracking all publicly disclosed cyberattacks at K–12 schools in the United States. He helps school district IT leaders across the country to improve their protections, and he advocates for more resources and stronger security standards alongside cybersecurity officials at the state and national level as well as with tech companies whose IT and security products are used in public school districts.

In several interviews with THE Journal, Levin has bemoaned the lack of transparency when it comes to public schools’ cybersecurity posture and student-data protections. From his many discussions with tech and IT professionals across the K–12 sector, he has concluded that “cyber incidents at K–12 schools are being kept secret all the time” — including incidents where student and staff data has been compromised.

“In our State of K–12 Cybersecurity report, we featured some investigative journalism where cyber attacks were not disclosed until the journalists began looking into them or published documentation of them; they wouldn’t disclose it at all unless they were called on it,” he said in March. “Then there’s another set of schools that didn’t even know they had a cyber incident or data breach: There are plenty of examples of security researchers finding student data on the dark web and when they reached out to the district, the district apparently had no idea that it had happened.”

Since the LAUSD ransomware attack, the statements that have been shared make Levin and his cybersecurity colleagues think there’s a lot that is not being said — and a lot of taxpayer funds about to be spent outside the public eye, ransom or no.

“The fact Carvalho pushed to be open on Tuesday after the attack on Labor Day weekend and he’s said wants schools to be open for the kids no matter what, coupled with the fact Vice Society — which has no compunction at all about dumping its victims’ data on the dark web — hasn’t published any of the stolen data, well these are good indicators that LAUSD could be negotiating and preparing to pay an extortion demand,” Levin told THE Journal.

“Obviously, we don’t know anything for certain, yet an extortion demand or ranso payment doesn’t seem to have been explicitly ruled out by the district,” he said. “In similar incidents elsewhere, districts have approved emergency funds in response to cybersecurity attacks — these ransomware attacks are frequently more severe than they’ve been able to deal with on their own.

“What sets this LAUSD emergency authority vote apart is the scope and scale of this emergency spending request — this is permission for the superintendent to spend any amount of money over the next year does that not have to go through the public procurement or bidding process.”

The board’s decision to give Carvalho permission to spend with no limits or oversight for a full year “suggests that they believe they have a lot of work to do, and it suggests either they don’t know how much money they need to spend on this incident response or they don’t want to be on record citing the amount of money they need to spend,” Levin said.

As noted by reports last week in the Los Angeles Times and BleepingComputer.com, LAUSD was warned in two separate cybersecurity reviews over the last two years of dozens of IT dangers that needed to be addressed — potential open doors to cyberattacks identified by consultants in their reviews — yet most of those recommendations hadn’t been followed or even addressed by district leaders.

One of the first recommendations for protecting network security, for example, is multi-factor authentication. The consultants’ reports on LA schools’ network security both mentioned weaknesses in passwords and recommended urgent implementation of MFA. Nevertheless, LAUSD did not use MFA when the ransomware attack occurred — the district was planning to begin implementing MFA this week, according to the LA Times.

Levin said he has no doubt that this ransomware attack — even if there is no extortion payment made — will end up costing the district $100 million or more.

“Given the long list of things the district has said they want to take on to shore up their security posture, and the scope of the planned IT work the superintendent has laid out, and comparing to what other, smaller districts have had to spend in response to ransomware, LAUSD could be looking at $100M or more in response and recovery spending just from this incident,” he said. “It will certainly total in the tens of millions, minimum.”

Buffalo Public Schools in New York, for example, with about 31,000 students and 60 schools, reported a year after it suffered a ransomware attack that response and recovery had cost $10 million — and that was before its IT infrastructure upgrades were completed. District leaders have said they did not pay any ransom and months after the attack it notified over 110,000 former and current staff, students, and business partners that the hackers had indeed accessed their private data within school networks.

LAUSD is well over ten times bigger than the Buffalo district, with approximately 565,000 students enrolled this year, and 1,438 school campuses. And its infrastructure is extremely complex, Levin noted, referencing a January 2021 information security audit detailed in a DataBreachToday.com report last week: “According to the report, the internal network is comprised of 259,200 services; 85,241 web services; 57,765 other services and 116,219 miscellaneous services, including SSH, POP3 and NTP.”

Meanwhile, as headlines move on to other news, the nation’s K–12 school districts still need the federal government to take action and provide immediate resources to protect school networks, Levin said.

“The actors who are targeting school districts are based overseas – that automatically makes this the purview of the federal government,” he explained. “The second reason the federal government should be addressing this and protecting schools is the federal government, in various ways, has both encouraged and directly funded — all but required — the use of technology in schools, but has offered precious little support to schools on how to do that safely. So, yes, it is basically the technology version of unfunded mandates.”