The posted records also included an unspecified number of driver's license numbers and Social Security numbers. The district statement did not say to whom those numbers belonged, but the school system does not routinely collect Social Security numbers from students.
Separately, the Long Beach school system, one of the state's largest, notified families Wednesday of a data breach that, so far, appears to contain the email addresses of students and student ID numbers.
The acknowledgment by L.A. Unified regarding sensitive student data came in the wake of an article by The 74, an education news site, reporting that detailed and sensitive mental health records of "hundreds — and likely thousands — of former Los Angeles students" were published on the dark web, containing "personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records."
The district did not directly address how many affected students or their families had been notified of the breach.
"We have already notified some individuals and vendors who have been impacted by this attack and will continue notifying individuals as they are determined," the statement said.
The district also provided some additional details on the types of records that had been breached.
"Some of these records go back almost three decades which creates further time-consuming analysis," the statement said. "Our review has also revealed positive COVID-19 test results were part of the breach. Further analysis is ongoing."
It's hard to uncover the trail of effects from such data breaches, Brett Callow, threat analyst for the cybersecurity company Emsisoft, told The Times.
"What impact does knowing that extremely sensitive information have on people, including in terms of their mental health?" Callow said. "How often is the stolen information misused? How often do third parties scrape the data and share it on other websites or on social media? How often [are] people actually contacted in extortion attempts?
"Unfortunately, it's not unusual for attacks to result in sensitive information leaking online," he continued. "Ransomware is more of a problem than people sometimes realize, and we really do need to find better ways to counter it."
The nature of most of the compromised records had been publicly disclosed months ago, with L.A. schools Supt. Alberto Carvalho characterizing individuals compromised by the breach as "outliers," given that the district has records for millions of individuals in its databases.
The new disclosures considerably increase the number of acknowledged victims and add details about the confidential information that was obtained.
Hackers are currently thought to have entered district computer systems as early as July 31. District technicians noticed the intrusion on Sept. 3, the Saturday of the Labor Day weekend, and responded by quickly shutting down systems to prevent further harm. After the district refused to pay ransom to the hacking gang, which has specialized in targeting educational institutions, the hackers posted about 500 gigabytes of data on the dark web.
The hackers' encryption of district systems, "tripwires" left behind that could have caused further harm and the district's own shutdown led to several weeks of gradually diminishing disruption. Some technical fixes have yet to be made.
Wednesday's statement marked the second time this year that L.A. Unified had disclosed greater harm than previously announced.
The first instance came by way of a notification in January to state regulators that the intrusion probably exposed confidential information, including Social Security numbers, of more than 500 people who worked for district contractors. This notification also stated that the intrusion into the computer systems of L.A. Unified began more than a month earlier than had been described in district briefings.
That January notification was part of documentation required by the state of California and did not become public until journalists found it in state records.
"Los Angeles Unified continues to assess the ramifications of the September 2022 cyberattack," according to the L.A. Unified statement, which was attributed to Jack Kelanic, senior administrator for IT infrastructure. "This is an ongoing investigation in partnership with forensic and cybersecurity experts where arduous, painstaking efforts are taking place to comb through the data, review individual pieces, determine what information was accessed, locate the impacted individuals and notify them of resources to protect themselves."
He added in the statement: "The aftermath of a cyberattack is a multi-layered, dynamic process in which real-time updates often alter the direction of an investigation... Ongoing legal notification is complex and made harder in many instances due to the age of files."
District spokesperson Shannon Haber said the district "always reported the information we had at the time," which she said was vetted before release by district lawyers and investigating law enforcement agencies.
The data breach in Long Beach Unified involved at least 130,000 student names, along with their corresponding school district-provided email addresses and their student ID numbers. These ID numbers are used within the school system but are not part of a permanent identification system in the manner of a Social Security number or driver's license.
A district spokesperson said that the student information system "remains secure, and no sensitive student data was accessed." Data that remain secure include addresses, birth dates and grades.
"Our team worked closely with a consortium of federal and local law enforcement agencies to ensure that more sensitive information was not compromised," said spokesman Chris Eftychiou. "As always, LBUSD will continue working to implement new features within our internal network to limit the capabilities of bad actors who look to gain notoriety through breaching sensitive data."
©2023 Los Angeles Times. Distributed by Tribune Content Agency, LLC.
