"If any inkling of a hack happens again, the public will know immediately. We will do that as a Board."When the Los Angeles Unified School District (LAUSD) had its computers infiltrated by Russian hackers 22 months ago it provided a case study on how not to respond to a crisis. In the immediate aftermath of the attack, Superintendent Alberto Carvalho not only lied about the timeline of the attack but threatened anyone who publicly questioned these fictional details, saying they would be investigated by the "federal authorities." Then after denying for months that any sensitive information had been compromised, the District was forced to admit that "detailed and highly-sensitive mental health records of hundreds -- and likely thousands -- of former Los Angeles students", including "psychological evaluations" could be found on the Dark Web. The breach particularly affected students receiving Special Education services.
- LAUSD Board Member Scott Schmerelson
One consequence of the LAUSD refusing to release details of this hack and its actions in response is that the public has no assurance that it is protected from future attacks. Board Member Scott Schmerelson has boldly stated that "it shall not happen again," but his assessment is based on what he has seen is being done "behind the scenes." After the lies told to the public in the aftermath of the Labor Day 2022 attack, their willingness to trust the system is very low.
Less than two years after this last attack, LAUSD files containing sensitive information about students, staff, and school sites have once again been posted for sale on the Dark Web. The sample file on the June 6, 2024, listing includes data indicating whether the student receives Special Education services.
While the District immediately acknowledged that sensitive information was being advertised, little was provided in the way of details beyond it "is investigating the claim and engaging with law enforcement to investigate and respond to the incident." This lack of concrete information harkens back to the disinformation campaign run by the Superintendent after the previous attack and is causing concern. Will the Board follow through with Schmerelson's promise to not repeat the mistakes of the past?
All six candidates in November's runoff election were given the opportunity to provide comments for this article. Only Board Member Schmerelson responded:
'As previously stated, on June 6, 2024, Los Angeles Unified became aware of an account from a malicious actor purporting to offer certain student and employee data for sale. Through its extensive and ongoing investigation, the District has determined that the data in question was maintained by one or more Los Angeles Unified external vendors on Snowflake, a cloud-based platform used for mass data storage, and appears to have been stolen in a manner consistent with recently publicized thefts involving numerous Snowflake accounts. So far, the District's ongoing investigation has revealed no evidence of any compromise to our systems or networks; however the investigation into the scope and extent of the data impacted is ongoing. Los Angeles Unified is continuing to engage with the FBI, CISA, its vendors, and consultants in furtherance of this investigation. The District prioritizes the privacy of our students, families and employees, and we will continue to work diligently in obtaining more information."
After taking care of the immediate needs of the victims of this data breach, the District must prioritize the investigation of how it was allowed to happen. Before the information being made available on the Dark Web were those responsible for data security aware that there had been "recently publicized thefts involving numerous Snowflake accounts"? If not, should they have been? If they were, what steps were taken to ensure the safety of District data?
The investigations into this new theft of data must be more open so that the public is assured that everything possible is being done to secure sensitive data. This includes ensuring that those responsible for allowing both breaches to occur are held responsible.
Carl Petersen is a parent advocate for public education, particularly for students with special education needs, who serves as the Education Chair for the Northridge East Neighborhood Council. As a Green Party candidate in LAUSD's District 2 School Board race, he was endorsed by Network for Public Education (NPE) Action. Dr. Diane Ravitch has called him "a valiant fighter for public schools in Los Angeles." For links to his blogs, please visit www.ChangeTheLAUSD.com. Opinions are his own.
