Contractors’ Social Security numbers were exposed in L.A. schools ransomware attack

Last year's ransomware attack against the Los Angeles Unified School District exposed contract workers' personal information, the district said.
social security card
(Getty Images)

Ransomware actors who attacked the Los Angeles Unified School District last year stole files that included the Social Security numbers and other personal information belonging to contract workers, according to a breach notification letter the district sent earlier this month.

LAUSD, the country’s second-biggest K-12 system, was attacked last September by affiliates of a ransomware group known as Vice Society, which later posted upward of 500 gigabytes of data on a leak site.

According to the district’s recent letter, the ongoing investigation into the attack revealed Jan. 9 that the files Vice Society stole during its unauthorized access to L.A. Unified servers included labor compliance documents, like payroll records, related to facilities contracts. The letter also revealed that the ransomware actors’ access to the district’s networks ran from last July 31 to Sept. 3, when the attack occurred.

The letter was first reported by Bleeping Computer.


A spokesperson for the school district declined to specify what date the letter was sent or the number of workers who received it. Recipients included current and former employees of companies with contracts and subcontracts for LAUSD facilities work.

Los Angeles Unified enrolls about 665,000 students and employs more than 25,000 teachers and more than 50,000 other administrators and support staff, making it a juicy target for Vice Society, a ransomware outfit that federal officials have warned is extensively targeting the U.S. education sector.

The district’s response also included the creation of an IT task force asked to analyze the school system’s cybersecurity posture, password resets for all network users and a board vote that granted emergency spending powers to Superintendent Alberto Carvalho, allowing him to issue no-bid contracts without going through the usual financial disclosure procedures.

Since the LAUSD attack, Vice Society has attacked other educational institutions both in the United States and abroad, including this week Germany’s University of Duisburg-Essen.

Latest Podcasts