LAUSD investigates claims that student and teacher data are for sale on the dark web

Alberto Carvalho, Superintendent, Los Angeles Unified School District, the nation's second-largest school district, comments on an external cyberattack on the LAUSD information systems during the Labor Day weekend, at a news conference in Los Angeles Tuesday, Sept. 6, 2022. Despite the ransomware attack, schools in the nation's second-largest district opened as usual Tuesday morning. (AP Photo/Damian Dovarganes)
L.A. Unifed Supt. Alberto Carvalho comments on an external cyberattack on the LAUSD information systems during the 2022 Labor Day weekend. (Damian Dovarganes/AP)

Los Angeles Unified is investigating claims that a user on the dark web is offering purported identifiable data about students and teachers, information that cyber experts say may have been obtained in a 2022 cyberattack.

A Times review of the dark web listing, which was posted Thursday afternoon, showed sample files contained sensitive information on hundreds of people born between 1993 and 2010.

The sample data set released by the seller included dozens of data fields on the purported students including home address, homelessness status, disability status and contact information for relatives.

The district has not confirmed whether the data correspond to actual students.

"Los Angeles Unified has become aware of an account from a malicious actor purporting to offer certain district data for sale," the LAUSD said in a statement.

LAUSD is "investigating the claim and engaging with law enforcement" in response, the statement said. "As always, we prioritize the privacy of our students, families and employees."

The information, offered for $1,000 on a hacker forum, totaled around 11 GB of purported data in a handful of files, according to a screenshot provided by the user who posted it.

In total, around 24 million records were on offer, the post claimed.

Read more: No widespread, systemic release of confidential data in LAUSD cyberattack, Carvalho says

After the LAUSD computer systems were attacked by the Vice Society ransomware group in September 2022, Supt. Alberto Carvalho said the attackers failed to steal valuable data but that some individuals had their personal information released on the dark web.

It was unclear whether the data uploaded Thursday corresponded to that which was taken in the 2022 attack, but experts said the two may well be connected.

Thomas Richard, a cybersecurity expert at Synopsys Software Integrity Group, said that "while the information breached doesn’t pose an immediate financial risk," the people in the files "now have their personally identifiable information exposed."

The detailed information could be used in future phishing attacks, said Kaustubh Medhe, an executive at Cyble, a threat detection company.

Sign up for Essential California for news, features and recommendations from the L.A. Times and beyond in your inbox six days a week.

This story originally appeared in Los Angeles Times.