Los Angeles school district receives ransom demand from Labor Day weekend cyberattacker

The Los Angeles Unified School District, the victim of a major cyberattack over Labor Day weekend, has received a ransom demand from the person or group that hacked into its systems, though officials have not indicated if they intend to pay or enter into any negotiations.

“There has been communication from this actor, and we have been responsive without engaging in any type of negotiation,” Superintendent Alberto Carvalho told reporters outside the district’s headquarters on Wednesday, Sept. 21.

“A financial demand has been made by this entity. We have not responded to that demand,” he added.

District officials have not said how much money the hacker or hackers demanded nor what information they claim to have stolen.

Officials previously acknowledged that the LAUSD student information system was “touched.”

“We believe that some of the data that was accessed may have some students’ names, may have some degree of attendance data, but more than likely lacks personally identifiable information or very sensitive health information or Social Security number information,” Carvalho said Wednesday. “It is a containable risk that we’re dealing with here.”

He maintained that there has been no evidence that employees’ payroll information or Social Security numbers were compromised.

The district is working with the FBI and local law enforcement on the ongoing criminal investigation and is acting upon the advice of such agencies and cybersecurity and legal experts.

Regardless of whether L.A. Unified decides to pay the ransom, one cybersecurity expert said the district will likely incur a hefty bill as it recovers from the data breach.

Doug Levin, national director of K12 Security Information eXchange, or K12 SIX, said he would not be surprised if the incident will cost L.A. Unified, the nation’s second-largest school district, tens of millions of dollars in overall recovery efforts. Those would include fortifying its IT infrastructure, rebuilding systems, and other costs related to the investigation which could last months if not years.

In the last two years, Baltimore County Public Schools in Maryland spent nearly $9.7 million in recovery costs, and the school board in Buffalo, N.Y., approved nearly $9.4 million in expenditures for IT consultants after its districts were attacked by ransomware, according to K12 SIX, a nonprofit that tracks cybersecurity threats among school districts throughout the United States.

Law enforcement agencies generally advise districts not to pay ransom demands, Levin said, because doing so helps the hacker fund its criminal operations and it encourages similar entities to target educational institutions, Levin said.

That said, he noted that if a hacker was able to infiltrate and extract enough information, school officials would have difficult choices to make.

“This is what LAUSD is grappling with. Ultimately it will have to be a decision by district leadership about how best to protect the educators, the students,” said Levin, noting that some districts have paid upward of $1 million in ransom demands.

Attacks on educational institutions are all too common, cybersecurity experts say.

In 2021, 62 school districts and 26 colleges or universities in the United States were attacked by ransomware, according to the cybersecurity firm Emsisoft. At least half of those 88 incidents involved theft of data, with sensitive information about employees and students posted online.

Cybersecurity experts say educational institutions are easy targets because they typically don’t have large budgets for their information technology departments. That translates to outdated software and systems that aren’t the most secure.

Source link

Leave a Comment

%d bloggers like this: