Kept in the dark: Inside a trio of Los Angeles school cyberattacks

The Los Angeles Unified School District was ensnared by three high-profile cyberattacks in the last few years, each of which exposed reams of sensitive information online. 

Three subsequent class-action lawsuits from parents accused the nation’s second-largest district of taking inadequate steps to protect their children’s personal records — and failing to tell them that sensitive information had been leaked. The district has since taken multiple actions to shield details about the incidents from public view. 

The trio of events encompass a September 2022 ransomware attack that exposed students’ highly sensitive psychological evaluations among other records; a January 2022 cyberattack on education technology company Illuminate Education, which compromised sensitive information in Los Angeles and districts nationwide; and a massive June 2024 cyberattack on the cloud computing company Snowflake, a third-party vendor used by the district to store certain records. 

Threat actors with the Vice Society cybergang took credit for the September 2022 ransomware attack on L.A. schools, posting the records to its dark web leak site after education officials did not pay its extortion demand. In the aftermath of the attack, Superintendent Alberto Carvalho sought to downplay its effect on students. An anonymous law enforcement source told the local press that students’ psychological evaluations were included in the leak, a revelation Carvalho refuted as “absolutely incorrect.” 

“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system but said the “vast majority” of exposed student records involved their names, academic records and home addresses. 

An investigation by The 74 into the leak uncovered that the breach had, in fact, exposed student psychological evaluations, which contain a startling degree of personally identifiable information about students receiving special education services, including their detailed medical histories, academic performance and disciplinary records. Just hours after our story published, the district acknowledged in a statement that “approximately 2,000” student psychological evaluations — including those of 60 current students — had been uploaded to the dark web. 

In a statement to The 74, a district spokesperson said its cybersecurity response protocol “follows a clear, structured process that prioritizes swift internal assessment and adherence to all applicable state and federal data privacy regulations.” The process, the district said, is “designed with transparency, compliance and community trust in mind.”

Due to the sensitive nature of the information, students may have to “deal with this breach for the rest of their lives,” attorney Ryan Clarkson told The 74. Clarkson represents students and parents in a class-action lawsuit alleging LAUSD failed to act on known cybersecurity vulnerabilities and provided families insufficient notice that students’ personal records had been compromised.  

“It’s hard to bury it, it’s hard to get away from it, it’s kind of part of who we are,” Clarkson said in an interview. “Your psychology as a child is always going to be your psychology as a child.”

While the parents of special education students had been left in the dark about the breach, so too were members of the district’s special education committee. Carvalho acknowledged at a September 2022 special education committee meeting that L.A. Unified was a “district under siege” and sought to “dispel rumors” about the incident, including one that multiple attacks had occurred. He didn’t make any statements regarding the impact on sensitive special education records. 

Carl Petersen, who served on the committee at the time, told The 74 that Carvalho left the committee members without information about the attack’s ramifications on children with disabilities. 

“At that point it was, ‘Oh, this was a very minor thing. We caught them in the system immediately and we shut it down,” said Petersen, who described Carvalho’s comments as part of a larger district effort to obfuscate. 

In January 2023 — four months after the attack — L.A. school officials acknowledged in a submission to the California attorney general’s office that sensitive records had been exposed but only listed Social Security numbers included in payroll records and third-party contractor files swept up in the breach. It wasn’t until March 2023 that they disclosed to state regulators the leak had also compromised sensitive student records. 

The letter submitted to the California AG’s office doesn’t make clear the types of student records that were affected but urges individuals to “keep a copy of this notice for your records in case of future issues with your child’s medical records.” 

The 74 submitted a public records request for information related to the ransomware attack, including complaints submitted to a hotline LAUSD created in its wake, insurance claims, Carvalho’s communications with the FBI and the types of student records that were subject to disclosure. The district denied the requests, stating it could not locate any “non-privileged responsive records,” meaning that they didn’t have to provide any of the records that were responsive because they were legally protected from disclosure. 

A week after it was discovered, the school board voted unanimously to grant Carvalho emergency spending powers to recover from the 2022 Labor Day weekend attack, allowing the schools chief a year to “enter into any and all contracts” to address the incident “without advertising or inviting bids and for any dollar amount necessary.” 

'Shared With the World'

In August 2023, nearly a year after the attack, Carvalho made a high-profile appearance at the White House, where then-First Lady Jill Biden warned about the growing threat of cyberattacks on students and a need to do more to protect their sensitive data.

“If we want to safeguard our children’s futures, we must protect their personal data,” she said at the first-ever K-12 cybersecurity summit. “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”

Carvalho said quick reaction time by the Los Angeles district and federal law enforcement officials set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. His remarks in the East Room didn’t touch on the leak of students’ mental health records but said the number of stolen files “could have been much worse” had officials not acted quickly to prevent the cybercriminals from encrypting additional district systems. One action they had no intention of doing, he said, was paying the undisclosed ransom demand because “we don’t negotiate with terrorists.”  

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she’s worried that fallout from the data breach could divert money from the services her children with disabilities need.

“I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,” said Harman-Holmes, while acknowledging it “would be very disturbing” if her own child’s psychological evaluations were leaked online. 

As L.A. Unified’s response to the attack was being lauded by federal officials at the White House summit, its lawyers were in court with parents who alleged the district’s mitigation efforts weren’t just inadequate — they violated the law. Three separate lawsuits filed in Los Angeles County Superior Court charge the district had insufficient safeguards in place to secure students’ sensitive records and failed to provide enough notice to victims once that information was stolen. 

An inspector general’s office audit two years before the ransomware attack highlighted cybersecurity vulnerabilities yet, the complaints allege, LAUSD failed to take the necessary steps to prevent the attack. Parents also charge the district failed to comply with state data breach notice requirements after it learned that students’ psychological records and other files were published online. 

The most recent complaint was filed in September 2024 against the district and the company InfoSys, which built and manages the My Integrated Student Information System — the district’s primary student data portal. The district “has stated under oath in discovery responses” that InfoSys managed the student information system that was compromised, according to court records filed by the plaintiffs

Insufficient cybersecurity protocols allowed the intrusion to go unnoticed for more than two months, the lawsuit alleges, and, once it was discovered, L.A. school leaders failed to provide “prompt and accurate notice of the data breach.” 

The breached portal “is currently the largest student data system in the United States,” the 162-page complaint notes, yet district officials “prioritized a race to incorporate technology in classrooms, with no regard for the risks of harboring troves of student data in online databases subject to cyberattacks.” 

One District, Three Breaches

Months before the Vice Society ransomware attack began, Los Angeles student records were exposed in a cyberattack on ed tech vendor Illuminate Education, which affected districts nationwide. LAUSD submitted a breach notice to the California attorney general’s office in May 2022, some five months after the incident unfolded. The report doesn’t disclose the types of information that were exposed or the number of students who had been affected. 

Then, in June 2024, a threat actor who goes by the name “the Satanic Cloud” posted a listing on a notorious dark web marketplace, seeking $1,000 in exchange for what they claimed was a trove of more than 24 million L.A. school district records. A second threat actor, known as “Sp1d3r” similarly posted a listing for records reportedly stolen from the district with a $150,000 price tag. 

The district said school data maintained by a third-party vendor was caught up in a cyberattack on the cloud computing company Snowflake, but officials didn’t disclose the name of the vendor or the types of records that may have been compromised. 

The district denied a public records request by The 74 seeking information related to the incident, saying that certain files were protected by attorney-client privilege. 

The incident doesn’t appear in a California attorney general’s office database of data breaches.