In Partnership with 74

L.A. schools investigate data breach as FCC approves $200M cybersecurity pilot

Mark Keierleber | June 18, 2024

Your donation will help us produce journalism like this. Please give today.

On the same day that millions of sensitive records purportedly stolen from the Los Angeles school district were posted for sale on the dark web, the Federal Communications Commission approved a $200 million pilot program to help K-12 schools and libraries nationwide fight an onslaught of cyberattacks. 

A Los Angeles Unified School District spokesperson confirmed they’re investigating a listing on a notorious dark web marketplace, posted June 6 by a user named “The Satanic Cloud,” which seeks $1,000 in exchange for what they claim is a trove of more than 24 million records. The development comes nearly two years after the district fell victim to a ransomware attack that led to a widespread leak of sensitive student records, some dating back years. 

Simultaneously, federal officials were citing that earlier ransomware attack in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel noting that they’ve become a growing scourge for districts of all sizes.

“School districts as large as Los Angeles Unified in California and as small as St. Landry Parish in Louisiana were the target of cyber attacks,” Rosenworcel said, adding that these events lead to real-world learning disruptions and sometimes millions in district recovery costs. “This situation is complex, but the vulnerabilities in the networks that we use in our nation’s schools and libraries are real and growing.”

“So today, we’re going to do something about it,” she said.

The five-person FCC voted 3-2 to approve the pilot, which will provide firewalls and other cybersecurity services to eligible school districts and libraries over a three-year period. While the pilot aims to study how federal funds can be deployed to bolster the defenses of these vulnerable targets, some have criticized the initiative for being too little, too late.

When Rosenworcel first outlined the proposal in July, education stakeholders demanded a more urgent and substantive federal response.

Districts selected to participate in the newly approved pilot will receive a minimum of $15,000 for approved services and the commission aims to “provide funding to as many schools and school districts as possible,” it noted in a fact sheet. While the funding “will not, by itself, be sufficient to fund all of the school’s cybersecurity needs,” the fact sheet notes, the commission seeks to ensure that “each participating school will receive funding to prioritize implementation of solutions within one major technological category.” 

A post on the BreachForums marketplace listed a trove of Los Angeles Unified School District records for sale for $1,000. (Screenshot)

The Satanic Cloud, which posted the most recent batch of LAUSD data, said it’s  entirely separate from what was stolen in the September 2022 ransomware attack on the nation’s second-largest school district. An executive at a leading threat intelligence company said his team suspects the data did originate from the earlier event.  

The Los Angeles district is aware of the threat actor’s claims, a spokesperson wrote in a June 6 email, and “is investigating the claim and engaging with law enforcement to investigate and respond to the incident.”

‘It’s definitely sensitive data’

In an investigation last year, The 74 found that thousands of students’ psychological evaluations had been leaked online after cybercriminals levied a ransomware attack on the Los Angeles district. The district had categorically denied that the mental health records had been compromised, but within hours of the story, acknowledged that they had. 

Just last month, a joint investigation by The 74 and The Acadiana Advocate revealed that officials at the 12,000-student St. Landry Parish School Board, located some 63 miles west of Baton Rouge, waited five months after a ransomware attack to inform data breach victims that their sensitive information had been compromised. The notice came after an earlier investigation by the news outlets revealed that personal student, employee and business records had been exposed, despite the district’s assertion otherwise, and that St. Landry had likely violated the state’s breath notification law. Within hours of the first story publishing, the Louisiana Attorney General’s Office issued a notification warning to the district. 

The latest Los Angeles files were listed this month on the dark web marketplace BreachForums, an online outpost that was taken offline briefly last month after it came under the control of federal law enforcement officials. The Federal Bureau of Investigation first targeted BreachForums in March 2023 when it arrested the site’s owner, 20-year-old Conor Brian Fitzpatrick, at his home in Peekskill, New York. At the time, BreachForums was among the largest hacker forums and claimed more than 340,000 users. 

A sample file included in the L. A. listing is a spreadsheet with the names, student identification numbers and other demographic information of more than 1,000 students and their parents. Data disclose students who receive special education services, their addresses and their home telephone numbers. A list of file names suggest the records include similar information about teachers. 

Reached for comment through the encrypted messaging app Telegram, the BreachForums user who listed the Los Angeles data told The 74 “there is no connections” to the previous ransomware attack. The breach, the threat actor said, originated via the Amazon Relational Database Service, which allows businesses to create cloud-based databases. The service has been the subject of previous hacks that led to the public disclosure of troves of sensitive information. 

Sign up for the School (in)Security newsletter here

Kaustubh Medhe, the vice president of research and threat intelligence at the threat intelligence company Cyble, said the latest threat actor has a history of engaging in discussions about cryptocurrency scams on Telegram but this is the first time they’ve sought to sell stolen data. Cyble’s research team, he said, sees “a high likelihood” that the data was sourced from files exposed in the earlier ransomware attack. 

“Historically, we have seen this kind of activity where old data leaks are recirculated on dark web forums by different actors,” Medhe said. Either way, Medhe said it’s incumbent on district officials to take urgent action. The files, he said, could be useful for “some kind of profiling or some kind of targeted phishing activity.

“It’s definitely sensitive data, for sure,” he said, adding that district officials should analyze the sample data set available online and confirm if the records align with their internal databases and, perhaps, those stolen in 2022. “They would need to do a thorough incident response and investigation to rule out the possibility of a new breach.” 

‘An important step forward’

During the June 6 FCC meeting, Commissioner Anna Gomez said the pilot program was an issue of educational equity, citing a report by the federal Cybersecurity and Infrastructure Security Agency which noted that as ransomware attacks and data breaches at K-12 districts have surged in the last decade, districts with limited cybersecurity capabilities and vast resource constraints are the most vulnerable to attacks. Connectivity, she said, is “essential for education in the 21st Century.” 

“Technology and high-speed internet access opens doors and unbounded opportunity for those who have it,” Gomez said. “Unfortunately, our increasingly digital world also creates opportunities for malicious actors.” 

Faced with a growing number of cyberattacks, educators have for years called on the FCC to provide cybersecurity resources with money from the federal E-rate program, which offers funding to most public schools and libraries nationwide to make broadband services more affordable. It’s a move that more than 1,100 school districts endorsed in a joint 2022 letter — but one the commission declined to adopt. In a press release, the commission said the pilot was kept separate “to ensure gains in enhanced cybersecurity do not undermine E-rate’s success in connecting schools and libraries and promoting digital equity.” The pilot will be allocated through the Universal Service Fund, which was created to subsidize telephone services for low-income households. 

In a letter to the commission last month, the American Library Association, Common Sense Media, the Consortium for School Networking and other groups said the selection process for eligible schools and libraries was unclear and could confuse applicants. On June 6, the library association nonetheless expressed support for the pilot. 

“The FCC’s decision today to create a cybersecurity pilot is an important step forward for our nation’s libraries and library workers, too many of whom face escalating costs to secure their institution’s systems and data,” President Emily Drabinski said in a statement. “We remain steadfast in our call for a long-term funding mechanism that will ensure libraries can continue to offer the access and information their communities rely on.”

Among the pilot program’s critics is school cybersecurity expert Doug Levin, who told The 74 that many school districts lack sufficient cybersecurity expertise and, as a result, the advanced tools that the pilot seeks to provide may not be “a good fit for school systems with scarce capacity.”

“There’s no argument that schools need support,” said Levin, the co-founder and national director of the K12 Security Information eXchange. But the FCC’s “techno-solutions point of view to the problem,” he said, is far too small to make a meaningful impact and could instead prompt a vendor marketing surge to schools that “may end up convincing some to buy solutions that, frankly, they don’t need.”

This article was published in partnership with The 74. Sign up for The 74’s newsletter here.

Read Next