By posting data stolen from the Los Angeles Unified School District on the dark web, hackers made a bad situation worse for some LAUSD parents, students, employees and contractors.
Still, there are steps you can take to protect yourself from identity theft and other forms of exploitation. And it makes sense to do them even though Los Angeles Unified Supt Alberto Carvalho said Monday that a minimal amount of sensitive personal information was released.
“While there is a lot of information, very little of it is absolutely critical or confidential,” he said.
The investigation is ongoing and approximately one-third of the released material remains to be investigated by LAUSD. That leaves people who interacted with the district guessing if they were victims and, if so, what kind of data was released. Carvalho also said the district doesn’t yet, and may never, know how the hackers — a group that calls and owns itself the Vice Society — know claimed credit – infiltrated and disabled parts of the LAUSD network.
According to the district, the attack caused the most damage to the district’s Facility Services Division, which oversees maintenance and construction. The other main system affected is the one that holds data about students and their classes, specifically a system that archives data from 2013 to 2016, Carvalho said. By shutting down the rest of the network shortly after the intrusion was discovered, the district is able to limit the reach of the hackers, he said.
The superintendent said hackers extracted 500 gigabytes of data from the district, or enough to fill more than 100 standard DVDs. That’s a tiny fraction of the 16 million gigabytes of data district officials say is their system memory.
TechCrunch reported Monday that the data trove appears to include “personal identifying information, including passport details, social security numbers, and tax forms,” as well as “contract and legal documents, financial reports with bank account details, health information including COVID-19 test data, criminal records, and psychological reports from students.” “
Pushing back during an afternoon news conference, Carvalho said the district had seen no evidence of psychological assessments or health records in the released data.
If you are a LAUSD student, parent, employee or contractor, you should take the following steps now to assess your risk and protect yourself.
Find out what personal information you have disclosed to LAUSD
Under state law, since 2017, school districts are prohibited from collecting student social security numbers unless required by law (e.g., when a student is a paid employee). So for many kids, that should be one less thing to worry about.
The archived records included some students’ social security numbers, Carvalho said, along with names and addresses. But Carvalho said there was no evidence at this time that social security numbers or sensitive health information were revealed. Instead, he said, it’s mostly student names, attendance dates, some academic information, and some addresses that may be linked to students living there.
There was also no evidence that current employees’ confidential information, including social security numbers and salary information, was disclosed, Carvalho said. Instead, he said, personal information was disclosed to a limited number of workers employed by maintenance or construction companies. These included some W-9 tax forms, documents typically submitted by contractors that contain either a Social Security or tax identification number.
However, identity thieves are interested in more than just your social security number. The more personal information they can collect, the more opportunities they have to impersonate you when dealing with your bank, your service providers and your contacts. The data can also help them launch more effective phishing attacks against other networks by helping them pose more credibly as trusted connections, said Brett Callow, a threat analyst for security firm Emsisoft.
Take proactive measures to protect against identity theft
Again, it is not yet clear who exactly is affected. But it wouldn’t hurt to make yourself less vulnerable now.
Check HaveIBeenPwned.com to see if your email credentials were stolen in a data breach. In this case, change your password immediately.
Check your credit regularly, which is a good way to spot scams after they happen. For example, someone who opens a credit card account in your name will usually lower your credit score. The Consumer Financial Protection Bureau offers several ways to check your score, either for free or for a fee.
For even more protection, you can freeze your credit files, which prevents anyone from opening a new account. It is free to place a freeze and lift it for your own needs. However, you will need to contact each of the three major credit bureaus individually, which you can do online. Cybersecurity journalist Brian Krebs also suggests freezing the credit files held by a handful of smaller, more specialized agencies like ChexSystems and FactorTrust.
Or sign up for a credit and identity monitoring service, which typically incurs a monthly fee. These outlets offer tools to protect you from phishing and other forms of hacking, combined with scanning services that look up your social security number or email address in places on the internet where they don’t belong.
Carvalho said the district will offer a free credit monitoring service to anyone whose personal information is released by the hackers.
Call the hotline set up by LAUSD
The hotline number – (855) 926-1129 – is only answered weekdays from 6am to 3:30pm and only a limited amount of information is provided. For example, operators cannot yet answer questions about who was affected and what data was compromised, as these matters are still under investigation. “We’re still working diligently with law enforcement to find out what information was taken and who owns it,” a Times official said.
What the hotline can do at this point is recommend a number of steps people can take to protect themselves from identity thieves online. This includes not clicking on emails or texts from unknown senders and creating a unique password for every account you have online. To remember all those passwords, consider a password manager app like LastPass or Dashlane.
According to the hotline operator, the county will provide more information once it knows what data was stolen and will be in touch with those affected. However, it is not known how long this will take.
Understand what you are dealing with
Many parents wonder why hackers attack a school district. The answer, security experts say, is because they’re opportunistic, so they attack anything that appears vulnerable.
Vyas Sekar, a professor of electrical and computer engineering at Carnegie Mellon University, said hackers are constantly scanning the web for vulnerabilities and spamming inboxes with phishing attempts. And Callow said they will also buy hacked credentials for targets they find appealing.
The attack on LAUSD involved two attempts to blackmail the district. The hackers encrypted some of the data on the network to make it inaccessible, then offered to provide a decryption key for an undisclosed amount of money. They also threatened to sell the copied data if the district didn’t pay the ransom.
The district did not disclose how the attack was carried out. The federal agency for cybersecurity and infrastructure security, which issued a warning to Vice Society shortly after discovering the hack, said it typically gains access to networks in two ways: by exploiting a vulnerability in a publicly-facing part or by deceiving a valid one provide a login and password.
“Schools are in a very difficult position,” Callow said. “People want them to spend money on children’s education, and spending millions of dollars on additional IT security measures and IT staff may not be the most politically popular decision until something like this happens.”
It’s a common problem, Sekar said. “For most of these organizations, security is a cost center. It’s a line item in the budget with no immediate benefit. … You fall and burn, and only then do you feel, ‘Oh, I should have had a fire department.'”
Two basic things schools can do to protect themselves, according to Sekar, are to encrypt any sensitive documents they store and have a backup plan if they get hacked. Keeping a backup copy of key data and systems would at least ensure that a system cannot be shut down in a ransomware attack, he said.
Howard Blume, a Times contributor, contributed to this report.
About the Times Utility Journalism Team
This article is from the Times’ Utility Journalism team. Our mission is to be essential to the lives of people in Southern California by publishing information that solves problems, answers questions, and aids in decision making. We serve audiences in and around Los Angeles—including current Times subscribers and diverse communities whose needs have not been met by our coverage in the past.
How can we be useful to you and your community? Email Utility (at) latimes.com or one of our journalists: Matt Ballinger, Jon Healey, Ada Tseng, Jessica Roy and Karen Garcia.