The Los Angeles Unified School District (LAUSD) has confirmed that data containing the sensitive information of around 2,000 students were leaked in a ransomware attack by the Russian hacking group Vice Society last fall. The leaked data included psychological assessments of hundreds of LAUSD students dating back to the 1980s, and the personal identifiable information of students who received special education services, including records of their medical histories, academic performance, and disciplinary actions. The school district’s last report to state authorities in January only mentioned the information of some district contractors and subcontractor employees being compromised.
The district confirmed that approximately 2,000 student assessment records were part of the attack, 60 of whom are currently enrolled, as well as driver’s license numbers and Social Security numbers. The leaked data also revealed positive COVID-19 test results as part of the breach. An investigation into the attack is ongoing, with the school district working with forensic and cybersecurity experts to comb through the data and review individual pieces to determine what information was accessed, locate the impacted individuals, and notify them of resources to protect themselves.
The incident highlights the risks faced by educational institutions in the current threat landscape. Ransomware attacks have become increasingly common, and cybercriminals often target institutions that hold sensitive personal information, such as schools and universities.
Cybersecurity experts recommend that educational institutions implement robust security measures and procedures, including regular cybersecurity assessments and training for staff and students, and investing in modern security technologies to mitigate the risks of such attacks. The incident also highlights the need for proper incident response planning and preparedness, as a rapid response is crucial in mitigating the damage and minimizing the impact of such incidents.
