The insidious ransomware gang known as Vice Society recently published documents and data that it stole from the Los Angeles Unified School District (LAUSD) in a dedicated cyberattack.

Superintendent for the LAUSD, Alberto M. Carvalho, provided a statement via social media platform Twitter, confirming the disclosure of stolen data while simultaneously announcing a built-for-purpose hotline launching for concerned students and parents, enabling them to make queries about the data breach.

The Tweet from the superintendent commented:

“Unfortunately, as expected, data was recently released by a criminal organisation. In partnership with law enforcement, our experts are analysing the full extent of this data release.”

A hard stance against cybercrime

The public disclosure of school data followed an announcement from the Los Angeles school system stating that it would not be acquiescing to Vice Society’s ransom demands and that the LAUSD could better employ the money for its students and their ongoing education.

Law enforcement agencies and government officials both in the US and here in the UK have been vocal on urging companies and educational institutions to refuse to give in to ransom demands. They have advised that by paying up, ransomware attack victims are encouraging gangs to become bolder and increase their activities, leading to further attacks. They are also quick to remind firms and schools that regardless of whether a ransom is paid, a data breach has already occurred, and the private information of data subjects exposed.

A recent statement from the LAUSD echoed this stance:

“Los Angeles Unified remains firm that dollars must be used to fund students and education. Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”

In response, the Vice Society ransomware gang revised their data leak site entry for the LAUSD, adding a link to the data stolen during their attack.

School data scored by Vice Society

Before including access to the stolen data, the nefarious ransomware gang had claimed they had taken 500 GB worth of data during their incursion, but had provided no solid proof of the data theft. Assessments of the newly available data leaked online suggest that it may contain sensitive data. Folder titles uploaded included “Passport”, “Incident” and “Secret and Confidential”.

A spokesperson for law enforcement has since warned that the leaked data includes legal and contract documents, multiple database entries, business records and psychological student assessments. The LAUSD has confirmed that it will be notifying individuals within the school community, employees, and partners if their confidential information was disclosed during the attack. It has also stated it will be offering victims of the attacks free access to credit monitoring services.

Stolen personally identifiable information (PII) is often used in phishing attacks. As a result, all impacted parents, school students and personnel should remain vigilant against unsolicited emails, text messages and phone calls that use their information as a lure.