The Los Angeles Unified School District, the victim of a major cyberattack over Labor Day weekend, has received a ransom demand from the person or group that hacked into its systems, though officials have not indicated if they intend to pay or enter into any negotiations.
“There has been communication from this actor, and we have been responsive without engaging in any type of negotiation,” Superintendent Alberto Carvalho told reporters outside the district’s headquarters on Wednesday, Sept. 21.
“A financial demand has been made by this entity. We have not responded to that demand,” he added.
District officials have not said how much money the hacker or hackers demanded nor what information they claim to have stolen.
Officials previously acknowledged that the LAUSD student information system was “touched.”
“We believe that some of the data that was accessed may have some students’ names, may have some degree of attendance data, but more than likely lacks personally identifiable information or very sensitive health information or Social Security number information,” Carvalho said Wednesday. “It is a containable risk that we’re dealing with here.”
He maintained that there has been no evidence that employees’ payroll information or Social Security numbers were compromised.
The district is working with the FBI and local law enforcement on the ongoing criminal investigation and is acting upon the advice of such agencies and cybersecurity and legal experts.
Regardless of whether L.A. Unified decides to pay the ransom, one cybersecurity expert said the district will likely incur a hefty bill as it recovers from the data breach.
Doug Levin, national director of K12 Security Information eXchange, or K12 SIX, said he would not be surprised if the incident will cost L.A. Unified, the nation’s second-largest school district, tens of millions of dollars in overall recovery efforts. Those would include fortifying its IT infrastructure, rebuilding systems, and other costs related to the investigation which could last months if not years.
In the last two years, Baltimore County Public Schools in Maryland spent nearly $9.7 million in recovery costs, and the school board in Buffalo, N.Y., approved nearly $9.4 million in expenditures for IT consultants after its districts were attacked by ransomware, according to K12 SIX, a nonprofit that tracks cybersecurity threats among school districts throughout the United States.
Law enforcement agencies generally advise districts not to pay ransom demands, Levin said, because doing so helps the hacker fund its criminal operations and it encourages similar entities to target educational institutions, Levin said.
That said, he noted that if a hacker was able to infiltrate and extract enough information, school officials would have difficult choices to make.
“This is what LAUSD is grappling with. Ultimately it will have to be a decision by district leadership about how best to protect the educators, the students,” said Levin, noting that some districts have paid upward of $1 million in ransom demands.
Attacks on educational institutions are all too common, cybersecurity experts say.
In 2021, 62 school districts and 26 colleges or universities in the United States were attacked by ransomware, according to the cybersecurity firm Emsisoft. At least half of those 88 incidents involved theft of data, with sensitive information about employees and students posted online.
Cybersecurity experts say educational institutions are easy targets because they typically don’t have large budgets for their information technology departments. That translates to outdated software and systems that aren’t the most secure.
LAUSD officials recently announced measures it has taken or plans on implementing to beef up security, including forming a task force to review district protocols related to cybersecurity; conducting needs assessments; seeking advice on best practices and systems; and allocating funds to strengthen its IT infrastructure.
Carvalho has also said he’s reviewing the results of an audit conducted about two years ago regarding L.A. Unified’s cybersecurity and why a number of recommendations weren’t acted upon.
The superintendent noted that after joining LAUSD in February, he called for the rollout of a multi-factor authentication system that requires users attempting to log on to a system to sign in through multiple means, to verify their identity.
That’s the most important measure parents can take to guard against having their account hacked, he said Wednesday, calling it an “inconvenient but necessary” measure.
While maintaining that L.A. Unified’s computer system is well-protected, Carvalho noted that cyberattacks remain commonplace. More than two dozen school districts nationwide have reportedly been the victim of ransomware attacks so far this year, and even the National Security Agency has been hacked in the past, he said.
“This,” he said, “is the sad but new reality we’re facing.”
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Education News Click Here
