The 500 gigabytes of stolen records include tens of thousands of individual files, including scanned copies of adults’ Social Security cards, passports, financial records and other personnel files. Related LA District Downplays Student Harm After Cyber Gang Posts Sensitive Data Online “We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system and had exposed a limited collection of students’ records, including their names and addresses. An early news report said the leaked files contained some students’ psychological assessments, citing “a law enforcement source familiar with the investigation.” Carvalho called that revelation “absolutely incorrect.” schools Superintendent Alberto Carvalho acknowledged in early October that the cyber gang published some 500 gigabytes of stolen records to the dark web after the district declined to pay an unspecified ransom demand, he sought to downplay its effects on students. Cybersecurity and Infrastructure Security Agency
The number of publicly disclosed cybersecurity incidents affecting schools has grown from 400 in 2018 to more than 1,300 in 2021, according to the federal agency. In a January report, the federal Cybersecurity and Infrastructure Security Agency warned that school districts were being targeted by cyber gangs “with potentially catastrophic impacts on students, their families, teachers and administrators.” Threats became particularly acute during the pandemic as schools grew more reliant on technology.
“For a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can’t take steps to protect themselves.” “It’s deeply disturbing that an organization that you’ve entrusted with such sensitive information is either significantly delaying - or even hiding - the fact that individuals had very sensitive information exposed,” Levin told The 74. Under existing federal privacy rules, school districts are not required to notify the public when students’ personal information, including medical records, is exposed.īut keeping the extent of data breaches under wraps runs counter to schools’ mission of improving children’s lives and instead places them at heightened risk of harm, said school cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange. Rules that pertain to sensitive health records maintained by hospitals and health insurers, which are protected by stringent data breach notification policies, differ from those that apply to education records kept by schools - even when the files themselves are virtually identical. In contrast, the district publicly acknowledged last month that the sensitive information of district contractors had been leaked.Ĭybersecurity experts said the revelation that student psychological records were exposed en masse and a lack of transparency by the district highlight a gap in existing federal privacy laws. The student psychological evaluations, published to a “dark web” leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records.īut people are likely unaware their sensitive information is readily available online because the Los Angeles Unified School District hasn’t alerted them, a district spokesperson confirmed, and leaders haven’t acknowledged the trove of records even exists. Update: After this story published, the Los Angeles school district acknowledged in a statement that “approximately 2,000” student psychological evaluations - including those of 60 current students - had been uploaded to the dark web.ĭetailed and highly sensitive mental health records of hundreds - and likely thousands - of former Los Angeles students were published online after the city’s school district fell victim to a massive ransomware attack last year, an investigation by The 74 has revealed. And federal privacy laws don’t require schools to go public
0 kommentar(er)
