Los Angeles Schools Probing Data Breach After FCC Greenlights $200M Cybersecurity Program

On the very day that numerous sensitive records reportedly confiscated from the Los Angeles school district were listed for sale on the dark web marketplace, the Federal Communications Commission gave the green light to a $200 million trial initiative to assist K-12 schools and libraries nationwide in combatting a wave of cyberattacks.

Confirming the development, a Los Angeles Unified School District representative acknowledged an offer on a notorious dark web platform posted by a user known as “The Satanic Cloud,” seeking $1,000 in return for a collection of over 24 million records. This revelation comes nearly two years after the district was hit by a ransomware attack resulting in the wide-scale exposure of sensitive student records, some dating back several years.

In parallel, federal authorities referenced the previous ransomware incident in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel highlighting the escalating threat faced by districts of varying sizes.

“School districts, ranging from the vast Los Angeles Unified in California to the small St. Landry Parish in Louisiana, have been targeted by cyberattacks,” Rosenworcel remarked, underscoring the disruptive learning repercussions and considerable district recovery costs stemming from such events. “The issue is intricate, but the vulnerabilities in the networks utilized by our nation’s schools and libraries are tangible and escalating.”

“With that in mind, we’re taking action today,” she emphasized.

The FCC’s five-member panel voted 3-2 in support of the initiative, allocating the budget to equip eligible school districts and libraries with firewalls and other cybersecurity mechanisms over a three-year period. While the trial focuses on examining how federal resources can be utilized to fortify the defenses of these vulnerable entities, some critics have deemed the effort insufficient and belated. When the proposal was originally put forth in July, education stakeholders voiced the need for a more prompt and substantial federal intervention.

Selected districts participating in the newly sanctioned trial will be granted a minimum of $15,000 for authorized services, with the commission aiming to distribute funds to as many schools and districts as possible, according to a detailed fact sheet. Despite the funding not being comprehensive enough to address all cybersecurity needs on its own, the commission is resolved to ensure that each participating school receives funding to prioritize the implementation of solutions within a key technological category.

The entity “The Satanic Cloud,” responsible for the recent release of LAUSD data, clarified to The 74 that this incident is entirely distinct from what transpired during the ransomware attack on the nation’s second-largest school district in September 2022. Despite the segregation, an executive at a prominent threat intelligence firm stated that their team suspected the data’s origins trace back to the earlier episode.

Notably, the Los Angeles district has acknowledged the claims made by the threat actor, sharing that they are actively investigating the situation and collaborating with law enforcement to address the incident.

‘It’s definitely sensitive data’

A previous investigation by The 74 revealed that following a ransomware attack on the Los Angeles district, numerous students’ psychological evaluations were leaked online. Initially denying the compromise of mental health records, the district subsequently acknowledged their exposure within hours of the report.

Just recently, a collaborative probe by The 74 and The Acadiana Advocate showcased how officials at the 12,000-student St. Landry Parish School Board, situated approximately 63 miles west of Baton Rouge, delayed notifying data breach victims for five months post a ransomware attack. The delayed disclosure came after an initial inquiry disclosed the exposure of personal student, employee, and business records despite the district’s contrary claims, leading to potential violations of state breach notification laws. With the publication of the first exposé, the Louisiana Attorney General’s Office issued a cautionary note to the district promptly.

The latest batch of Los Angeles files was made available on the dark web platform BreachForums Thursday, which was briefly suspended last month following federal intervention. The site was initially targeted by the Federal Bureau of Investigation in March 2023, resulting in the arrest of the forum’s operator, 20-year-old Conor Brian Fitzpatrick, in Peekskill, New York. BreachForums, which boasted over 340,000 users, was among the largest hacker forums at the time.

A sample file included in the L. A. listing comprises names, student IDs, and other demographic particulars of over 1,000 students and their parents. The data discloses details on students receiving special education services, along with their addresses and contact numbers. Additionally, file names suggest that similar information about teachers is also included in the records.

When approached through the encrypted messaging app Telegram, the responsible party listing the Los Angeles data on BreachForums asserted to The 74 that there are no connections to the prior ransomware attack. The breach, as indicated by the threat actor, originated from the Amazon Relational Database Service, a cloud-based database creation tool. The service has previously been compromised, leading to the exposure of substantial volumes of sensitive information.

Kaustubh Medhe, the Vice President of Research and Threat Intelligence at Cyble, mentioned that the current threat actor, known for engaging in discussions on cryptocurrency scams, is now venturing into selling pilfered data for the first time. Cyble’s research team strongly suspects that the data originates from files exposed during the prior ransomware attack.

“Traditionally, we’ve witnessed instances where old data leaks resurface on dark web forums by different actors,” Medhe stated. Regardless, he emphasized the urgent need for district officials to take proactive steps. The exposed files could potentially fuel profiling or targeted phishing activities.

“This data is undoubtedly sensitive,” Medhe stressed, urging district officials to scrutinize the available sample dataset and verify its alignment with internal databases and possibly those lost in 2022. “A comprehensive incident response and investigation are imperative to rule out a potential new breach.”

‘An important step forward’

Commissioner Anna Gomez, during the FCC meeting on Thursday, underscored the educational equity aspect of the pilot program, referencing a report by the Cybersecurity and Infrastructure Security Agency highlighting the vulnerability of K-12 districts with limited cybersecurity capabilities and constrained resources to ransomware attacks and data breaches.

“The indispensable role of technology and high-speed internet access in 21st-century education cannot be overstated,” Gomez stated. However, she acknowledged the accompanying risks posed by malevolent actors in our increasingly digital world.

In light of the surging cyber threats faced by educational institutions, educators have long advocated for FCC support in cybersecurity endeavors by leveraging resources from the federal E-rate program. The E-rate initiative, designed to facilitate affordable broadband services for most public schools and libraries nationwide, garnered support from over 1,100 school districts in a joint appeal back in 2022. Despite the commission’s decision not to integrate the pilot with the E-rate program to preserve its objectives in bridging the digital divide, the pilot will be financed through the Universal Service Fund, tailored to subsidize telephone services for low-income households.

Expressing reservations about the pilot program’s efficacy, school cybersecurity expert Doug Levin highlighted the insufficiency of expert cybersecurity resources within many school districts, rendering the advanced tools from the pilot potentially unsuitable for systems lacking adequate capacity.

“While the need for support in schools is undeniable,” Levin, co-founder and national director of the K12 Security Information eXchange, cautioned against the technologically centered approach adopted by the FCC, which he deemed insufficient to effect meaningful change and liable to stimulate unwarranted purchases of unnecessary security solutions.