The cyberattack that disabled the school’s computer systems in the Los Angeles Unified School District was criminal in nature, but on Tuesday most online services — including major emergency systems — were operating safely,
Although the attack was carried out with a “ransomware tool”, the nation’s second-largest school system did not receive a ransom demand, the LA Superintendent of Schools said. said Alberto Carvalho.
An investigation involving the FBI, Department of Homeland Security and local law enforcement is ongoing, underscoring the severity of the attack, which was detected at 10:30 p.m. Saturday.
In addition to taking the district’s website offline, the attack resulted in the loss of email access to staff and students. The systems teachers use to post lessons and take attendance have also shrunk. Carvalho said no Social Security numbers or medical information was stolen.
Authorities decided to shut down many of the most sensitive rigs in the district over the weekend as the attack was ongoing.
“By shutting down all systems, we were able to stop the spread of this event…limiting its potential damage,” Carvalho said. “It was the right call at the right time.”
Late Sunday night, officials determined the most vital systems were serviceable, and Carvalho moved to open schools as scheduled on Tuesday.
“No. 1, we’re having a pretty normal school day and that was our intention,” Carvalho told a news conference at the Roybal Learning Center, just west of downtown.
District technical staff, aided by federal and local law enforcement and other government experts, assessed the threat and damage before gradually restoring systems.
Carvalho described the attack as launched by a “ransomware tool that temporarily disabled systems, froze others, and gained access to some degree of data.”
Investigators, he said, advised him to provide few details about the nature of the attackers as the breach is under investigation.
Among the main challenges on Tuesday morning was the need for every student and employee to change their password. Carvalho said an early problem thwarted efforts to deliver that solution until around 9 a.m. A few minutes later, he said, the number of reset passwords jumped from around 5,000 to over 50,000.
An 8-hour update included a staggered schedule for changing passwords, with administrators and teachers starting first, followed by support staff, high school students, and finally elementary and middle school students.
For almost everyone, the password must be changed on a district site, but an exception will be made for 7,000 full-time distance learning students. Those students and parents can use the district’s tech support hotline — though the wait can be long, Carvalho said.
The district’s web page was partially restored early Tuesday morning, but the Board of Education page, which lists meetings and provides agendas and public reports, was still down by early afternoon.
The district did not announce the attack until Monday evening because, Carvalho said, a critical assessment and response was underway and because the release of information had to be approved by different agencies with a role in the investigation.
“Business operations may be delayed or changed,” the district said in the initial statement. However, “based on a preliminary analysis of critical business systems, employee health care and payroll are not impacted. The cyber incident also did not impact security and emergency in place in schools.
But teachers continued to have problems with the system Monday morning. A teacher reported that she could not log in. “Some teachers feel like they can change their LAUSD password and then log in, but the password site is down,” one teacher said.
“I am unable to do my job, which is to ensure the attendance of students at school,” said an attendance counselor. “We have attendance sheets that we will collect, but I usually call home or make house calls to find out where the students are. Unfortunately, not having access to their information, I will not be able to know where these students are. As things stand, after the pandemic, we have been working hard to find students.
Officials said they were working around the clock to resolve the issue on multiple levels.
“The White House brought together the Department of Education, the Federal Bureau of Investigation [FBI] and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency [CISA] to provide rapid incident support to Los Angeles Unified, backed by immediate support from local law enforcement,” the district’s announcement said.
When the district acknowledged the attack, officials also announced a series of measures to improve cybersecurity in the future. These actions, the district said, “have been taken, will be taken immediately, or will be implemented as soon as possible.”
The list includes:
- Creation of an independent working group on information technologies. It would be responsible for developing recommendations within 90 days and providing monthly updates.
- Deploy technical staff to the broad school system to help resolve issues that will arise in the coming days
- Reorganize departments and systems “to strengthen consistency and strengthen data protection”
- Appoint an advisory board of technology experts and appoint a technology advisor who will focus on security procedures and practices as well as an overall review of data center operations
- Add dollars to the budget as needed and improve employee training
- Analyze systems with the assistance of federal and state law enforcement
Lately, hackers have been targeting businesses and public bodies, including schools, for ransom or just to wreak havoc. A notable local attack targeted the Newhall school system in 2020.
Cyberattacks come in a variety of forms, including the theft of private information that can be misused later. In May, Chicago’s public school system announced that a massive data breach exposed four years of records for nearly 500,000 students and just under 60,000 employees.
The attack targeted a company that stored teacher evaluations and basic student information — including birthdates — but no financial records or social security numbers, according to the school system.
A separate recent cyberattack targeted a company, Illuminate Education, whose customers include LA Unified, and whose services, according to its website, reach “more than 17 million students” in 5,200 schools and school districts.
LA Unified has experienced a few major internal IT failures, particularly related to planned upgrades. In one case, the payroll system malfunctioned, resulting in underpayments and overpayments that took years to resolve. In another episode, a new student information system has made student school records and class schedules unavailable.
Before the nature of the attack was clarified, a post on the local Parents Supporting Teachers Facebook page suggested making the best of the situation:
“LAUSD staff who thought they could get some work done today are being forced to relax due to a district-wide outage. Enjoy!”
Parents and teachers have reported various issues on social media.
“Apparently everyone I’ve spoken to/texted with says that when they try to log in they’re asked to change their Google password, saying it’s out of date. .then when they do, it locks them out,” one person reported.
One teacher posted: “Anything that requires a lausd- journal[in] is down for the account!!
Other staff also reported, referring to the Schoology system which is integral to posting and receiving assignments:
“My computer was connected to both school and my drive (before the blackout) and I have access to it. I can’t access other sites and I don’t log out for fear of being blocked .
Another teacher had planned to catch up on Monday: “Confession… I haven’t finished my lesson plans. The only good thing is that I downloaded my teacher guides and all my slides. »
Another said: “EVERYTHING is on Google Drive. It is very frustrating. I pray that my disc is restored!”