Los Angeles Unified School District (LAUSD), the second-largest school district in the United States, says the Vice Society ransomware gang has stolen files containing contractors’ personal information, including Social Security Numbers (SSNs).
LAUSD also revealed that the threat actors were active in its network for over two months, between July 31, 2022, and September 3, 2022.
“Through our ongoing investigation, we determined that between July 31, 2022, and September 3, 2022, an unauthorized actor accessed and acquired certain files maintained on our servers,” the school district said in data breach notification letters sent to affected individuals.
While reviewing the data stolen during the two-month-long security breach, LAUSD discovered payroll records and other labor-related documents that included SSNs and impacted peoples’ names and home addresses.
“On January 9, 2023, we identified labor compliance documents, including certified payroll records, that contractors provided to L.A. Unified in connection with Facilities Services Division projects,” LAUSD said.
“Those files contained the names, addresses and Social Security numbers of contractor and subcontractor employees and other affiliated individuals” that provided LAUSD “with certified payroll records in connection with Facilities Services Division projects.”
This comes after LAUSD superintendent Alberto M. Carvalho confirmed in October 2022 that Vice Society published the stolen on its leak site and announced its experts and law enforcement had started analyzing the leak’s impact.
Before leaking the stolen files, the gang told BleepingComputer that they had stolen 500 GB of data from the school system’s systems but didn’t provide any proof.
LAUSD entry on Vice Society’s data leak site (BleepingComputer)
The ransomware gang leaked LAUSD’s data after the school district announced that it would not give in to the cybercriminals’ ransom demands and that it could better use the money for its students and their education.
“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate,” LAUSD said at the time.
Since Social Security Numbers and other sensitive personal information has been exposed, those affected by the data breach should immediately freeze their credit to prevent financial fraud and identity theft.
LAUSD is providing contractors and their employees with a one-year complimentary membership to Experian’s IdentityWorksSM that would help detect misuse of their information.
The day LAUSD disclosed the ransomware attack, the FBI, CISA, and MS-ISAC published a joint advisory warning of Vice Society disproportionately targeting the U.S. education sector.
After breaching LAUSD, Vice Society has claimed attacks on other school districts, schools, and universities worldwide, including the Cincinnati State Technical and Community College and the University of Duisburg-Essen (UDE).
LAUSD enrolls more than 640,000 students, from kindergarten through 12th grade, and it includes Los Angeles and 31 smaller municipalities and some Los Angeles County unincorporated sections.