By releasing data stolen from the Los Angeles Unified School District onto the dark web, hackers made a bad situation worse for some LAUSD parents, students, employees and contractors.
Nevertheless, there are actions you can take to protect yourself from identity theft and other types of exploitation. And it makes sense to do them even though Los Angeles Unified Supt. Alberto Carvalho said Monday that a minimal amount of sensitive personal information was released.
"Even though there is a lot of information, very little of it is absolutely critical or confidential," he said.
The investigation is ongoing, and about a third of the material released has yet to be examined by LAUSD. That leaves people who've interacted with the district guessing whether they were victimized and, if they were, what sorts of data were released. Carvalho also said the district does not yet, and may never, know how the hackers - a group that calls itself Vice Society and has claimed credit - slipped into and disabled parts of the LAUSD network.
According to the district, the attack caused the most damage to the district's Facilities Services Division, which oversees maintenance and construction. The other main system affected is the one that holds data about students and their classes, especially a system that archived data from 2013 to 2016, Carvalho said. By shutting down the rest of the network soon after the intrusion was detected, he said, the district was able to limit the hackers' reach.
The superintendent said hackers extracted 500 gigabytes of data from the district, or enough to fill more than 100 standard DVDs. That's a tiny fraction of the 16 million gigabytes of data district officials say their system stores.
TechCrunch reported Monday that the data trove "appears to contain personal identifying information, including passport details, Social Security numbers and tax forms," as well as "contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students."
Carvalho pushed back during an afternoon news conference, saying that the district had seen no evidence of psychological evaluations or health records in the released data.
If you are a student, a parent, an employee or a contractor of LAUSD, here are steps you should take now to estimate your risk and protect yourself.
Figure out what personal data you've disclosed to LAUSD
Under state law, school districts have been barred from collecting students' Social Security numbers since 2017, except where required by law (for example, when a student is a paid employee). So for many kids, that should be one fewer thing to worry about.
The archived records did have Social Security numbers for some students, Carvalho said, along with names and addresses. But Carvalho said there was no evidence at this point that Social Security numbers or sensitive health information were divulged. Instead, he said, it's largely student names, attendance data, some academic information and some addresses that may be linked to the students who live there.
Nor was there evidence of current employees' confidential information, including Social Security numbers and payroll information, being disclosed, Carvalho said. Instead, he said, a limited number of workers employed by maintenance or construction contractors had personal information disclosed. That included some W-9 tax forms, documents that are typically filed by contractors and contain either a Social Security or taxpayer ID number.
Identity thieves are interested in more than your Social Security number, though. The more personal data they can collect, the more ability they'll have to impersonate you when dealing with your bank, your service providers and your contacts. The data can also help them make more effective phishing attacks against other networks by helping them more credibly impersonate trusted connections, said Brett Callow, a threat analyst for the security firm Emsisoft.
Take proactive steps to guard against identity theft
Again, it's not clear at this point who, exactly, has been affected. But it wouldn't hurt to make yourself less vulnerable now.
Check to see if your email credentials have been stolen in a data breach by visiting HaveIBeenPwned.com. If so, change your password immediately.
Check your credit score regularly, which is a good way to detect fraud after it happens. For instance, someone opening a credit card account in your name will usually lower your credit score. The Consumer Financial Protection Bureau outlines several ways to check your score, either for free or for a fee.
For even more protection, put a freeze on your credit files, which will prevent anyone from opening a new account. It's free to place a freeze and to lift it for your own needs. But you have to contact each of the three major credit reporting companies individually, which you can do online. Cybersecurity journalist Brian Krebs also suggests freezing the credit files maintained by a handful of smaller, specialized agencies, such as ChexSystems and FactorTrust.
Or sign up for a credit- and identity-monitoring service, which typically carries a monthly fee. These outlets provide tools to protect you from phishing and other forms of hacking, combined with scanning services that look for your Social Security number or email address in places online where it doesn't belong.
Carvalho said the district will provide a credit-monitoring service for free to anyone whose personal information is released by the hackers.
Call the hotline set up by LAUSD
The hotline number - (855) 926-1129 - is answered only from 6 a.m. to 3:30 p.m. on weekdays, and only a limited amount of information is provided. For instance, operators can't yet answer questions about who was affected and what data were compromised, saying these matters are still being investigated. "We are still diligently working with law enforcement to find out what information was taken and who it belongs to," one operator told The Times.
What the hotline can do at this point is recommend a number of steps people can take to protect themselves from identity thieves online. This includes not clicking on any emails or texts from unknown senders and creating a unique password for each account you have online. To help remember all those passwords, consider a password manager app such as LastPass or Dashlane.
According to the hotline operator, the district will make more information available once it knows what data have been stolen, and it will contact the individuals who are affected. How long it will take to do so, however, isn't known.
Understand what you're up against
Many parents are asking why hackers would attack a school district. The answer, security experts say, is because they're opportunistic, so they'll attack anything that seems vulnerable.
Vyas Sekar, a professor of electrical and computer engineering at Carnegie Mellon University, said hackers scan the internet constantly for vulnerabilities, in addition to spamming inboxes with phishing attempts. And Callow said they will also buy hacked credentials for targets they find appealing.
The attack on LAUSD involved two attempts to extort the district. The hackers encrypted some of the data on the network to make it inaccessible, then offered to provide a decryption key in exchange for an undisclosed amount of money. And they also threatened to sell the data they had copied unless the district paid the ransom.
The district has not disclosed how the attack was accomplished. The federal Cybersecurity and Infrastructure Security Agency, which issued a warning about Vice Society soon after the hack was detected, said it typically gains access to networks in either of two ways: by exploiting a weakness in a portion that's accessible to the public, or by obtaining a valid login and password through deception.
"Schools are in a very tough position," Callow said. "People want them to be spending money on educating kids, and dedicating millions of bucks to additional IT security measures and IT staff may not be the most politically popular decisions, until something like this happens."
That's a widely shared problem, Sekar said. "For most of these organizations, security is a cost center. It's a line item on the budget without an immediate benefit. ... You crash and burn, and only then you feel, 'Oh, I should have had a fire department.'"
Two basic things schools can do to protect themselves, Sekar said, is to encrypt all the sensitive documents they store and have a backup plan for when they're hacked. Keeping a backup copy of the key data and systems would at least ensure that a system couldn't be shut down in a ransomware attack, he said.
Times staff writer Howard Blume contributed to this report.
This story originally appeared in Los Angeles Times.