L.A. Schools Admits Sensitive Student Records Leaked After 74 Investigation
School district acknowledges some 2,000 student assessments — including those of 60 current students — exposed by hackers on the dark web
Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter
After The 74 published an investigation revealing that hundreds — if not thousands — of student psychological assessments were posted on the dark web, Los Angeles public schools acknowledged that the highly sensitive information had been exposed.
Its admission on Wednesday, which included the news that 60 current students’ records had been compromised, comes five months after the nation’s second-largest school district was the victim of a ransomware attack and four months after schools Superintendent Alberto Carvalho categorically denied that students’ psychological records were part of that breach.
“As the District and its partners delve deeper into the reality of the data breach, the scope of the attack further actualizes and new discoveries have been revealed,” Jack Kelanic, the district’s senior administrator of IT infrastructure, said in a statement. “Approximately 2,000 student assessment records have been confirmed as part of the attack, 60 of whom are currently enrolled, as well as Driver’s License numbers and Social Security numbers.”
The 74 published an extensive investigation by reporter Mark Keierleber Wednesday revealing that the records — among the most sensitive information school districts maintain on students — could be uploaded from a dark web leak site of the Russian-speaking ransomware gang Vice Society. The cyber criminal gang infiltrated LAUSD’s computer system last year and then released the records when the school district refused to pay an undisclosed ransom demand.
When presented with the results of The 74’s investigation Tuesday, district officials did not retract or correct Carvalho’s earlier statements, which a district spokesperson said “were based on the information that had been developed at that time.” The comments were made in early October, about a month after the cyber attack was first reported, and at a point where school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web, according to the schools chief.
The district is now saying that notification to individuals whose information was posted has been slowed by the painstaking nature of the process and the fact that some of the records date back nearly 30 years. To comply with state privacy rules, the district posted a data breach notice to the California state attorney general’s office website in January disclosing that district contractors’ certified payroll records and their names, addresses and Social Security numbers were leaked.
School officials have not said anything publicly about notifying current or former students or district employees that their information has been compromised, but said Wednesday their investigation is ongoing and they “will continue notifying individuals as they are determined.” A day earlier, a district spokesperson told The 74 that no current or former students had been informed that their psychological records were posted online.
The records identified by The 74 were at least a decade old and involve special education students. They include a comprehensive background on the student’s medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning.
“It could ruin careers, it could damage families, people could get fired, it could potentially increase the likelihood of self harm if they suffer some kind of mental trauma from it,” a cyber security expert told the Los Angeles Daily News for a story it published on the district’s response to The 74’s investigation.
Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter