On the first school day after hackers released confidential information stolen from the Los Angeles Unified School District, many parents and employees said they were frustrated about a lack of communication and worried about what private information hackers may have on them or their children, including medical information and finances.
In response to a crush of concern, L.A. schools Supt. Alberto Carvalho scheduled an update late Monday afternoon but as of 4 p.m. had provided little information about what hackers had posted on the dark web.
Hackers calling themselves Vice Society posted the documents Saturday — two days ahead of their deadline for a ransom payment — after Carvalho made clear that the district would not pay up.
The computer system that was most compromised is in the facilities division, putting private information from construction and maintenance contractors especially at risk.
Technology specialists who have reviewed some of the posted documents — and who provided screen shots that were reviewed by the Times — suggest that there is cause for concern. The documents include W-9 forms, which contain Social Security numbers, and other forms that are expressly used to collect confidential information.
A Times review of just a fraction of the massive trove confirmed the specialists’ reviews and found a report on an employee’s criminal record and pending cases. There’s also payroll information for a major construction contractor and one of its subcontractors. Also released were more mundane materials: building maintenance logs, photos of a camping trip, audio files to play for staff birthdays.
The documents also included passports, and a tech site reported finding psychological evaluations and conviction records.
The attack unfolded over Labor Day weekend. L.A. Unified technicians noticed and cut off the attack while it was in progress Sept. 3; otherwise, they say, the damage to systems and data theft could have been much worse.
Still, the hackers achieved some degree of access to the student information system, which contains grades, coursework, disciplinary records and disability status.
“I am so disgusted by this act against the most vulnerable members of our society,” said Alicia Montgomery, head of the Center for Powerful Public Schools, a locally based advocacy group.
Montgomery was especially outraged about the impact on L.A. Unified and other targeted school systems amid recovery efforts from the COVID-19 pandemic.
“To think they are just holding districts across the country hostage — impeding academic instruction and growth at a time when we are all trying to mitigate the harm from two years of emergency instruction is bad enough. But to add insult to injury, they are selling information about children,” she said. “This is just so despicable.”
Parents on Monday expressed frustration.
Charlotte McPherson, whose 8-year-old daughter goes to Woodland Hills Elementary School, said she feels that the district has been unclear and inconsistent in sharing what information has been compromised.
“Shouldn’t the institution that is entrusted with my child and her information be responsible for communicating what’s going on?” asked McPherson, who has been a victim of identity theft and worries that her daughter could become one as well.
The school system has posted general updates on social media, but McPherson was unhappy that she hadn’t received more explicit communication: “If there’s a direct threat of my child’s medical info being released or any of her demographic information, the district should be telling me that.”
She also worries about the effect on employees.
“If there’s [Social Security numbers] and compromised information for teachers and educators, what kind of confidence does this give them in their district? We’re already losing teachers,” she said.
Also displeased was Jenna Schwartz, co-founder of the Parents Supporting Teachers Facebook group, which issued a statement Monday.
“LAUSD Communication has dwindled to almost nothing with the current administration,” the statement said in part. “Superintendent Carvalho communicates only with his immediate team or on social media. … Families and staff are living in a world of obscurity.”
Some parents were trying to remain patient.
“As a new parent to LAUSD — kinder student — I’m super concerned, but I’m going to wait for more information to come,” said Nancy Montes. “I trust the teachers and staff at my child’s school.”
One part of the attack was the theft of data. Another was an effort to encrypt systems, making them unusable.
Carvalho said all systems affecting students and parents were up and running within a week after the Sept. 3 cyberattack, but many parents have experienced problems.
Elizabeth Hernandez, who has a 14-year-old and an 8-year-old, said she was unable to access the district’s parent portal. As a result, she could not apply to volunteer at her children’s schools.
She too is concerned about the posting of private data: “We’re not sure, because we’re not being told what is really going on.”
She wonders how committed the school system will be to addressing identity theft that emerges years from now due to the hack.
“I don’t know what type of issues this will bring in the future to my children or anyone in the school district,” she said. “The future problems are what I’m more worried about.”
Even so, Hernandez agrees with the district’s decision to not pay the ransom, she said.
Emily Bañales, who has three children in LAUSD schools, would have preferred that the district pay it. She’s also worried about what repercussions the hack will have on her children years from now, perhaps when they turn 18 or apply for a credit card.
“How is this going to affect them five years down the line, 10 years down the line, when they get out of high school and they try to get into college?” asked Bañales, who lives in Pacoima.
An “incident response” line was jammed Monday when it first became available at 6 a.m. KNX news radio reported wait times of at least 45 minutes early on; an early-afternoon check by The Times tallied a 20-minute wait.
The staffer who answered said she worked for an outside firm that had been brought in to help with the hotline. The hotline, at (855) 926-1129, is open Monday through Friday from 6 a.m. to 3:30 p.m.
For the time being, callers are being told to wait while the district determines if they have been victimized and what best to do about it. The district has pledged to help with credit monitoring and other services.
One parent confronted the situation with dark humor.
“If my kid’s online homework submissions from the past couple years end up getting popular on the dark web, I would like a cut of the profits to make up for the premature destruction of her credit rating,” she said.
Source: LA Times