The IT Nerd

The Los Angeles Unified School District (LAUSD) is currently investigating a threat actor’s claims that they are selling stolen databases containing sensitive information belonging to millions of students and thousands of teachers. LAUSD, which is the second largest public school district in the United States, had more than 563,000 students enrolled for the 2023-2024 school year.

According to the threat actor, the stolen data is being sold for $1,000 on a hacking forum. The data allegedly includes over 11GB of information, encompassing more than 24 million student records, over 24,000 teacher records, and approximately 500 records containing staff information. The hacker shared samples of the data to prove its legitimacy, which included around 1,000 student records complete with Social Security Numbers (SSNs), addresses, parent addresses, email addresses, contact information, and dates of birth.
 
The authenticity and recency of the data remain uncertain as the threat actor only shared a small portion of the allegedly stolen information. There might be new information that has not yet been disclosed.
 
“We are looking into this and will get back to you if we have further information to share,” said LAUSD Public Information Officer Britt Vaughan in a statement to BleepingComputer.
 
In a related incident, LAUSD was hit by a ransomware attack in September 2022 over the Labor Day weekend. The Vice Society gang claimed responsibility for that breach, claiming they stole 500GB of files before encrypting the district’s systems.
 
Following the 2022 attack, LAUSD mandated all employees (teachers, support staff, and administrators) as well as students, reset their @LAUSD.net account credentials in person at a district site and expedited the rollout of multi-factor authentication.

Steve Hahn, Executive VP, BullWall has this to say:

   “The threat landscape has taken a sinister turn in the last few years, partly because these (mostly) Russian based threat actors consider our support of Ukraine an act of war and also because of the financial stakes. This is a multi-billion-dollar industry now. However recent years has seen the threat actors intentionally targeting young children for extortion and blackmail, which is precisely what this. It’s unconscionable.

   “Threat actors target schools with “dual extortion” techniques. They exfiltrate data on students and encrypt all of the school’s data in a sequenced attack. The school will have to pay to not have that data leaked and pay again to get it decrypted. The information they can get in an attack like this is devastating to the children involved. Information about their grades, sexual activity, medications or mental healthcare, domestic violence, sexual orientation or identity and disciplinary actions. When this gets leaked parents will be, rightfully, outraged and the political fallout severe. The threat actors know this and seem to disregard the impact on the well-being of the targeted children.

   “Unlike big corporations or other government services, schools simply don’t have the resources or personnel to prevent these attacks. It is not a matter of “if” a school district will be hit but “when” and the funding bodies don’t seem willing to allocate pro-active funding until they’ve been hit and see first-hand the fallout. However, even with the best prevention tools in the world a determined threat actor will eventually break through.

   “Schools need to limit the sensitive information they document and retain. They need recovery strategies for the eventuality and need to also focus on rapid containment of the event to limit the amount of data impacted. It is also important to hold tabletop exercises to create a playbook for what happens when they eventually do get hit. How Legal, Boards and City Councils will be involved. These exercises often open up the eyes of the city councils to just how impactful these events are.”

Dave Ratner, CEO, HYAS follows with this:

“Schools and universities are increasingly becoming common targets, both because of the treasure trove of data they contain and their overall cyber security posture, which is unfortunately often less than perfect based on limited budgets. It’s imperative that those in the education sector prioritize cyber security hygiene — often this can be accomplished in a budget-friendly manner via one of the many MSP and MSSPs that focus on best practices.”

It will be interesting to see if these claims of LAUSD being pwned again are true. If they are, then LAUSD will have to do a lot of hard work to make sure that threat actors don’t go three for three so to speak.

Recently, Australian mining company, Northern Minerals, disclosed a breach after BianLian leaked data. Exfiltrated data includes corporate, operational, shareholder and financial information, along with detailed related to current and former personnel. The company noted that the incident did not affect mining or business operations. 

Darren Williams, CEO and Founder, BlackFog:

“The attack on Northern Minerals is an example of how ransomware gangs will proceed once their demands are not met. While this is an unfortunate reality for the shareholders and the organization itself, it reflects a common trend among ransomware gangs that are focused specifically on data exfiltration rather than encryption.  Today’s gangs are about extortion and the many ways data can be leveraged for financial gain, so the focus must revolve around data security and preventing data exfiltration to protect organizations from these ongoing threats.”

The best way to make the activities of these gangs less profitable is to make sure that they can’t get into your environment. Because you can’t be extorted if they can’t get in.