The Los Angeles Unified School District said it’s investigating a claim alongside law enforcement that certain district records are for sale online, an LAUSD spokesperson told K-12 Dive.
The claim stems from a threat actor's post on BreachForums, a cybercrime forum, offering to sell about 24 million records belonging to LAUSD for $1,000. A June 6 post by Dark Web Informer on social media platform X included a screenshot of the claim.
“Los Angeles Unified has become aware of an account from a malicious actor purporting to offer certain district data for sale,” the LAUSD spokesperson said in an emailed statement. “As always, we prioritize the privacy of our students, families and employees.”
The latest claims on compromised district data have yet to be verified by LAUSD. The district also did not respond to a question about whether or not the data alleged to be currently up for sale on the dark web is tied to a major ransomware attack against the district that first occurred in September 2022.
Kaustubh Medhe, vice president of research and threat intelligence at threat-intel firm, Cyble, took a closer look at the dark web forum post and said in a statement that these records appear to have personal identifiable information. This includes student IDs, names, dates of birth, English proficiency status, special education status, home addresses, phone numbers and parents' names.
The information can lead to privacy concerns, like targeting victims in phishing or profiling attacks, Medhe said. But, he added, “the fact that it's only being sold for $1,000 indicates it lacks sensitive account-level information such as passwords, making it less valuable for fraud but still significant for secondary attacks like phishing.”
Ransomware group Vice Society later claimed responsibility for the September 2022 cyberattack against LAUSD, the nation’s second-largest school district. That same gang of cybercriminals also threatened to publish its stolen data from the district a month after the breach was first reported.
While Vice Society’s prominence has declined as of May 2023, Medhe said a new ransomware group called Rhysida has since emerged and also strongly resembles Vice Society. It’s very possible that the two groups are linked, he said. Rhysida has targeted 24 educational institutions from June 2023 to December 2023 and remains active today, according to Medhe.
“There is a high likelihood that Satanic may be trying to monetize old data that was posted by the Vice Society group in 2022,” Medhe said. “While it's difficult to confirm definitively, the exposed data fields suggest that this data isn't the result of a new attack but rather a re-circulation of data from the previous breach.”
Either way, he said, an investigation by LAUSD is necessary to validate claims about this breached data and whether they are or are not related to a new, separate incident from September 2022.
