The confidential nature and scope of sensitive data stolen and leaked from the Los Angeles schools system remains under investigation, but data observed by threat researchers thus far merits apprehension. Files and folders containing personal and potentially damaging information on students and employees were exposed.
About 250,000 files were posted on the dark web, some containing Social Security numbers, contracts, W-9 tax forms, invoices and passports, Check Point researchers told Cybersecurity Dive on Wednesday.
The Los Angeles Unified School District said roughly 500 gigabytes of data was stolen during the Labor Day weekend ransomware attack, according to the Los Angeles Times.
“Based on what we have seen, there is, at this point, no evidence of widespread impact as far as truly sensitive, confidential information,” Alberto Carvalho, the district’s superintendent, said during a Monday news conference following the release of data.
“The release was actually more limited than what we had originally anticipated,” he said.
Vice Society, the prolific ransomware group behind the attack, released the data two days earlier than the deadline it set for a ransom payment. The district, following advice of the FBI and the Cybersecurity and Infrastructure Security agency, refused to respond to the threat actor’s demand.
While the district asserts the leak wasn’t as damaging as it feared, screenshots of district data observed by Check Point and shared with Cybersecurity Dive still paint a worrying scenario.
The leak contained district file folders with titles such as “DACA,” “bully,” “convict,” and “violence,” among others, suggesting personally identifiable and highly sensitive information on students, employees and contractors was exposed.
Carvalho, during the news conference, contested reports of student psychological assessments being leaked, but conceded there are “outlier” cases.
Some files observed by Check Point include details about “hate-motivated incidents,” accident investigations and incident forms required when a student, employee or visitor suffers an injury.
The researchers also noted many of the files were recent, partly contradicting the district’s claim that stolen files were more dated. Some of the files observed by Check Point are from 2022.
Carvalho, at the news conference, said most of the student information, including attendance data, information and addresses, dates from 2013 to 2016.
The theft and release of LAUSD data is “massive and widespread,” said Ekram Ahmed, spokesperson at Check Point. “Once it goes on the darknet, hackers in all corners can ultimately access.”
The district, which plans to complete its review of the leak by next week, said it will contact affected individuals and offer credit monitoring services. While common practice following a major attack, post-breach monitoring does little to prevent potential victims from identity theft or the release of sensitive data.