The Los Angeles Unified School District, the victim of a major cyberattack over Labor Day weekend, has received a ransom demand from whoever hacked into its systems, district officials now say.
“We can confirm that there was a demand made,” Superintendent Alberto Carvalho told the Los Angeles Times, which first reported the ransom demand. “There has been no response to the demand.”
A spokesperson for the district would not provide further details on Wednesday, Sept. 21, about how much money the hacker or hackers demanded, what information they claim to have stolen or whether the district intends to pay a ransom.
District officials have said that they don’t believe employee’s Social Security numbers were stolen.
However, Carvalho has acknowledged that the hackers had “some degree of contact” with the district’s student information system. Officials did not know to what extent student information may have been compromised, the superintendent had said on Sept. 9.
The district is working with the FBI and local law enforcement on the ongoing criminal investigation and is acting upon the advice of such agencies and cybersecurity experts.
It is not surprising that the district has now received a ransom demand.
The Sept. 3 cyberattack involved the use of ransomware, and prompted the district to shut down all its computer systems. More than 600,000 of its students and employees had to reset their passwords – a process that led to days of delays and disruptions to classroom instruction.
Cybersecurity experts say most attackers who use ransomware are seeking money in exchange for returning stolen information or for agreeing not to release or sell that information to a third party.
Attacks on educational institutions are all too common, they say.
In 2021, 62 school districts and 26 colleges or universities in the United States were attacked by ransomware, according to the cybersecurity firm Emsisoft. At least half of those 88 incidents involved theft of data, with sensitive information about employees and students posted online.
One notable case was the 2019 cyberattack on Baltimore County Public Schools – an incident that reportedly cost the district more than $8.1 million to recover from.
Cybersecurity experts say educational institutions are easy targets because they typically don’t have large budgets for their information technology departments. That translates to outdated software and systems that aren’t the most secure.
LAUSD officials recently announced measures it has taken or plans on implementing to beef up security, including forming a task force to review district protocols related to cybersecurity; conducting needs assessments; seeking advice on best practices and systems; and allocating funds to strengthen its IT infrastructure.
Carvalho has also said he’s reviewing the results of an audit conducted about two years ago regarding L.A. Unified’s cybersecurity and why a number of recommendations weren’t acted upon.