The Vice Society ransomware gang on Saturday posted data stolen from the Los Angeles Unified School District in an attack last month. The leak came a day after the superintendent, Alberto Carvalho, said publicly that the district, the country’s second-biggest K-12 system, would not pay a ransom.
The data trove posted on a Vice Society leak site runs upward of 500 gigabytes and appears to include large volumes of documents containing employees’ Social Security numbers, tax forms, financial records and other sensitive information. Screenshots reviewed by StateScoop include a W-9 tax form, a purchase order for motor oil and a file directory that includes images of a district employee’s passport. (W-9 forms are IRS documents required to be completed by independent contractors, and include fields for Social Security numbers.)
Vice Society claimed credit for the incident not long after the group was the target of a federal advisory warning about the group’s predilection for targeting the education sector. So far this year, there have been 56 ransomware incidents affecting K-12 and post-secondary academic entities in the United States. Vice Society also accounts for 17% of ransomware attacks against the education sector worldwide this year, according to Recorded Future analyst Allan Liska.
Carvalho had acknowledged last month the possibility that Vice Society would make good on a threat to post the data it stole from Los Angeles USD. The malware outfit had also said it would give the district until midnight Tuesday, London time, to pay its ransom, the value of which has not been made public.
“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate,” read a district press release last Friday.
It appears Vice Society then abandoned its deadline.
In a statement posted to Twitter Sunday night, Carvalho said the publishing of school data is now being reviewed.
“Unfortunately, as expected, data was recently released by a criminal organization,” he wrote. “In partnership with law enforcement, our experts are analyzing the full extent of this data release.”
The district has also set up a hotline for employees, students and their families to answer questions about the incident. The Los Angeles Unified School District enrolls about 665,000 students and employs more than 25,000 teachers and more than 50,000 other administrators and support staff.
LAUSD’s response to the incident has also included the creation of an IT task force — days after the incident was detected Sept. 5 — that’s ordered to analyzing the district’s cybersecurity posture and report back within 90 days. Carvalho also used a Sept. 13 board meeting to secure emergency spending powers for one year, allowing the district to issue no-bid contracts that may not be subject to the usual financial disclosure rules.