A cyberattack targeting the huge Los Angeles Unified School District over the Labor Day weekend prompted an unprecedented shutdown of the district’s information technology systems as authorities scrambled to trace the perpetrators and restrict potential damage.
Schools in the nation’s second-largest district opened as scheduled on Tuesday and 540,000 students and 70,000 district employees were forced to change their passwords to prevent additional incursion. Though the attack used technology that encrypts data and won’t unlock it unless a ransom is paid, in this case the district’s superintendent said no immediate demand for money was made.
Such attacks have become a growing threat to U.S. schools, with several high-profile incidents reported since last year as pandemic-forced reliance on technology increases the impact.
So far this year, 26 U.S. school districts — including Los Angeles — and 24 colleges and universities have been hit by so-called ransomware, according to Brett Callow, a ransomware analyst at the cybersecurity firm Emsisoft.
With victims increasingly refusing to pay to have their data unlocked, many cybercriminals instead use the same technology to steal sensitive information and demand extortion payments. If the victim doesn’t pay, the data gets dumped online.
Callow said at least 31 of the schools hit this year them had data stolen and released online, and noted that eight of the school districts have been hit since Aug. 1. The upsurge on schools as summer vacations end is almost certainly not coincidental, he said.
“It is the No. 1 threat to our safety,” said Michel Moore, chief of the Los Angeles Police Department, at a news conference Tuesday to address the attack in LA. “It is an invisible foe and it is tireless.”
Authorities believe the LA attack originated internationally and have identified three potential countries where it may have come from, though Los Angeles Unified Superintendent Alberto Carvalho would not say which countries may be involved. Officials did not identify the ransomware used.
“This was an act of cowardice,” said Nick Melvoin, the school board vice president. “A criminal act against kids, against their teachers and against an education system.”
The district said the investigation and response involved the White House, the U.S. Department of Education, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Although the district characterized the cyberattack as a “significant disruption to our system’s infrastructure,” officials did not see any evidence of major issues with instruction or such services as transportation and food in the first half of Tuesday’s school day, but cautioned that business operations might still be delayed or modified.
The perpetrators appear to have targeted the facilities systems, which involves information about private-sector contractor payments — which are publicly available through records requests — rather than confidential details like payroll, health and other data, Carvalho said.
The attack was discovered around 10:30 p.m. Saturday when staff detected “unusual activity” within the district’s cyber systems, the superintendent said.
“We basically shut down every one of our systems,” he said, noting that each one had been checked and all but one — the facilities system — restarted by late Monday night, when the district first notified the public of the attack.
While there was pressure to cancel school on Tuesday, officials ultimately decided to stay open.
A ransomware extortion attack in Albuquerque’s biggest school district forced schools to close for two days in January. At the time, the superintendent said virtual schooling in light of the pandemic offered more ways for hackers to access the district’s system.
Had the activity in LA not been discovered on Saturday night, Carvalho said there could have been “catastrophic” consequences.
“If we had lost the ability to run our school buses, over 40,000 of our students would not have been able to get to school, or it would have been a highly disrupted system,” he said.
The district plans to do a forensic audit of the attack to see what can be done to prevent future incursions.
“Every teacher, every employee, every student can be a weak point,” said Soheil Katal, the district’s chief information officer.
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.
