Hackers leak 500GB trove of data stolen during LAUSD ransomware attack

Hackers have released a cache of data stolen during a cyberattack against the Los Angeles Unified School District (LAUSD) in what appears to be the biggest education breach in recent years.

Vice Society, a Russian-speaking group that last month claimed responsibility for the ransomware attack that disrupted the LAUSD’s access to email, computer systems and applications, published over the weekend the data stolen from the school district. The group had previously set an October 4 deadline to pay an unspecified ransom demand.

The stolen data was posted to Vice Society’s dark web leak site and appears to contain personal identifying information, including passport details, Social Security numbers and tax forms. While TechCrunch has not yet reviewed the full trove, the published data also contains confidential information including contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students.

Vice Society, a group known for targeting schools and the education sector, included a message with the published data that said the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the government agency assisting the school in responding to the breach, “wasted our time.”

In an email, Vice Society told TechCrunch that CISA allegedly stalled the release of data and that CISA was “wrong” to advise LAUSD not to pay the ransom demand. (CISA and the FBI have long discouraged victims from paying the ransom as to not “embolden adversaries to target additional organizations.”) “We always delete documents and help to restore network [sic], we don’t talk about companies that paid us,” the cybercriminals said. “Now LAUSD has lost 500GB of files.”

CISA did not immediately respond to a request for comment.

LAUSD superintendent Alberto M. Carvalho confirmed the release of stolen data in a statement posted to Twitter on Sunday, along with announcing a new hotline starting Monday morning — (855) 926-1129 — for concerned parents and students to ask questions about the cyberattack.

Just hours before the public release of the stolen data, LAUSD posted a statement on Friday in which it confirmed it would not pay Vice Society’s ransom demand, the amount of which remains unknown.

“It is important to note that this investigation is ongoing,” the statement said. “Los Angeles Unified remains firm that dollars must be used to fund students and education. Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”

LAUSD said it is working with law enforcement to “determine what information was impacted and to whom it belongs.” The district did not say if it knows what data it expects to be released. LAUSD is the second largest district in the United States with more than 1,000 schools and 600,000 students.

LAUSD spokesperson Shannon Haber declined to comment beyond Friday’s statement.

According to Brett Callow, a threat analyst at Emsisoft, the Vice Society ransomware gang has attacked at least eight other U.S. school districts, colleges and universities so far in 2022. The gang has previously been the subject of a warning from CISA and the FBI, which said Vice Society is “disproportionately targeting the education sector with ransomware attacks.”

LAUSD said that it “continues to deal” with the cyberattack and is “making progress toward full operational stability for several core information technology services.” Some educational institutions targeted by ransomware don’t recover at all: Lincoln College, established in 1865, recently announced that it was closing its doors after a ransomware attack disrupted the admission process last December.