Kept in the Dark: Inside a Trio of Los Angeles School Cyberattacks

Explore

News

��Ƶ

Kept in the Dark: Inside a Trio of Los Angeles School Cyberattacks

A 74 investigative series: Meet the hired guns who make sure school cyberattacks stay hidden.

By Mark Keierleber

February 10, 2025

Education news and commentary, delivered right to your inbox.

This site is protected by reCAPTCHA and the Google and apply.

Most Popular

opinion
What a Hallway Sprint Taught Me About Chronic Absenteeism
commentary
Why Some Students Don’t Raise Their Hands. How Early Education Can Change That
immigration
ICE Raids Caused Enrollment to Drop. Now Districts Are Paying the Price
Artificial Intelligence
Five Things to Know About the New Khan TED Institute
new polling
Gen Z Increasingly Skeptical of — And Angry About — Artificial Intelligence

Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter

Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes — and subsequent data breaches — have played out in your own community. Here’s what we uncovered about America’s second-largest school district.

The Los Angeles Unified School District was ensnared by three high-profile cyberattacks in the last few years, each of which exposed reams of sensitive information online.

Three subsequent class-action lawsuits from parents accused the nation’s second-largest district of taking inadequate steps to protect their children’s personal records — and failing to tell them that sensitive information had been leaked. The district has since taken multiple actions to shield details about the incidents from public view.

The trio of events encompass a September 2022 ransomware attack that exposed students’ highly sensitive psychological evaluations among other records; a January 2022 cyberattack on education technology company Illuminate Education, which compromised sensitive information in Los Angeles and districts nationwide; and a massive June 2024 cyberattack on the cloud computing company Snowflake, a third-party vendor used by the district to store certain records.

Threat actors with the Vice Society cybergang took credit for the September 2022 ransomware attack on L.A. schools, posting the records to its dark web leak site after education officials did not pay its extortion demand. In the aftermath of the attack, Superintendent Alberto Carvalho sought to downplay its effect on students. An told the local press that students’ psychological evaluations were included in the leak, a revelation Carvalho refuted as “absolutely incorrect.”

Los Angeles schools Superintendent Alberto Carvalho (Getty Images)

“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system but said the “vast majority” of exposed student records involved their names, academic records and home addresses.

An investigation by The 74 into the leak uncovered that the breach had, in fact, exposed student psychological evaluations, which contain a startling degree of personally identifiable information about students receiving special education services, including their detailed medical histories, academic performance and disciplinary records. Just hours after our story published, the district acknowledged in a statement that “approximately 2,000” student psychological evaluations — including those of 60 current students — had been uploaded to the dark web.

In a statement to The 74, a district spokesperson said its cybersecurity response protocol “follows a clear, structured process that prioritizes swift internal assessment and adherence to all applicable state and federal data privacy regulations.” The process, the district said, is “designed with transparency, compliance and community trust in mind.”

Due to the sensitive nature of the information, students may have to “deal with this breach for the rest of their lives,” attorney Ryan Clarkson told The 74. Clarkson represents students and parents in a class-action lawsuit alleging LAUSD failed to act on known cybersecurity vulnerabilities and provided families insufficient notice that students’ personal records had been compromised.

“It’s hard to bury it, it’s hard to get away from it, it’s kind of part of who we are,” Clarkson said in an interview. “Your psychology as a child is always going to be your psychology as a child.”

While the parents of special education students had been left in the dark about the breach, so too were members of the district’s special education committee. Carvalho acknowledged at a September 2022 that L.A. Unified was a “district under siege” and sought to “dispel rumors” about the incident, including one that multiple attacks had occurred. He didn’t make any statements regarding the impact on sensitive special education records.

Carl Petersen, who served on the committee at the time, told The 74 that Carvalho left the committee members without information about the attack’s ramifications on children with disabilities.

“At that point it was, ‘Oh, this was a very minor thing. We caught them in the system immediately and we shut it down,” said Petersen, who described Carvalho’s comments as part of a larger district effort to obfuscate.

In January 2023 — four months after the attack — L.A. school officials acknowledged in that sensitive records had been exposed but only listed Social Security numbers included in payroll records and third-party contractor files swept up in the breach. It wasn’t until March 2023 that they disclosed to state regulators the leak had also compromised .

The letter submitted to the California AG’s office doesn’t make clear the types of student records that were affected but urges individuals to “keep a copy of this notice for your records in case of future issues with your child’s medical records.”

The 74 submitted a public records request for information related to the ransomware attack, including complaints submitted to a hotline LAUSD created in its wake, insurance claims, Carvalho’s communications with the FBI and the types of student records that were subject to disclosure. The district denied the requests, stating it could not locate any “non-privileged responsive records,” meaning that they didn’t have to provide any of the records that were responsive because they were legally protected from disclosure.

A week after it was discovered, the school board to grant Carvalho emergency spending powers to recover from the 2022 Labor Day weekend attack, allowing the schools chief a year to “enter into any and all contracts” to address the incident “without advertising or inviting bids and for any dollar amount necessary.”

‘Shared with the world’

In August 2023, nearly a year after the attack, Carvalho made a high-profile appearance at the White House, where then-First Lady Jill Biden warned about the growing threat of cyberattacks on students and a need to do more to protect their sensitive data.

Homeland Security Secretary Alejandro Mayorkas, Education Secretary Miguel Cardona, and First Lady Jill Biden depart a back-to-school K-12 cybersecurity summit at the White House on Aug. 8. (Getty Images)

“If we want to safeguard our children’s futures, we must protect their personal data,” she said at the first-ever K-12 cybersecurity summit. “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”

Carvalho said quick reaction time by the Los Angeles district and federal law enforcement officials set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. His remarks in the East Room didn’t touch on the leak of students’ mental health records but said the number of stolen files “could have been much worse” had officials not acted quickly to prevent the cybercriminals from encrypting additional district systems. One action they had no intention of doing, he said, was paying the undisclosed ransom demand because “we don’t negotiate with terrorists.”

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she’s worried that fallout from the data breach could divert money from the services her children with disabilities need.

“I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,” said Harman-Holmes, while acknowledging it “would be very disturbing” if her own child’s psychological evaluations were leaked online.

As L.A. Unified’s response to the attack was being lauded by federal officials at the White House summit, its lawyers were in court with parents who alleged the district’s mitigation efforts weren’t just inadequate — they violated the law. Three separate lawsuits filed in Los Angeles County Superior Court charge the district had insufficient safeguards in place to secure students’ sensitive records and failed to provide enough notice to victims once that information was stolen.

An inspector general’s office audit highlighted cybersecurity vulnerabilities yet, the complaints allege, LAUSD failed to take the necessary steps to prevent the attack. Parents also charge the district failed to comply with state data breach notice requirements after it learned that students’ psychological records and other files were published online.

The most recent complaint was filed in September 2024 against the district and the company InfoSys, which built and manages the My Integrated Student Information System — the district’s primary student data portal. The district “has stated under oath in discovery responses” that InfoSys managed the student information system that was compromised, according to court records filed by the plaintiffs.

Insufficient cybersecurity protocols allowed the intrusion to go unnoticed for more than two months, the lawsuit alleges, and, once it was discovered, L.A. school leaders failed to provide “prompt and accurate notice of the data breach.”

The breached portal “is currently the largest student data system in the United States,” the 162-page complaint notes, yet district officials “prioritized a race to incorporate technology in classrooms, with no regard for the risks of harboring troves of student data in online databases subject to cyberattacks.”

One district, three breaches

Months before the Vice Society ransomware attack began, Los Angeles student records were exposed in a cyberattack on ed tech vendor Illuminate Education, which affected districts nationwide. LAUSD submitted a breach notice to the California attorney general’s office in May 2022, some unfolded. The report doesn’t disclose the types of information that were exposed or the number of students who had been affected.

Then, in June 2024, a threat actor who goes by the name “the Satanic Cloud” posted a listing on a notorious dark web marketplace, seeking $1,000 in exchange for what they claimed was a trove of more than 24 million L.A. school district records. A second threat actor, known as “Sp1d3r” similarly posted a listing for records reportedly stolen from the district with a $150,000 price tag.

The district said school data maintained by a third-party vendor was caught up in a cyberattack on the cloud computing company Snowflake, but officials didn’t disclose the name of the vendor or the types of records that may have been compromised.

The district denied a public records request by The 74 seeking information related to the incident, saying that certain files were protected by attorney-client privilege.

The incident doesn’t appear in a California attorney general’s office database of data breaches.

This story was supported by a grant from the Fund for Investigative Journalism.

Did you use this article in your work?

We’d love to hear how The 74’s reporting is helping educators, researchers, and policymakers.

Republish This Article Learn More

Mark Keierleber is an investigative reporter at The 74.

[email protected]

Republish This Article

We want our stories to be shared as widely as possible — for free.

Please view The 74's republishing terms.


                <h2>Kept in the Dark: Inside a Trio of Los Angeles School Cyberattacks</h2>

                <h2>A 74 investigative series: Meet the hired guns who make sure school cyberattacks stay hidden.</h2>

                <p class="sans">By <a rel="author" href="/about/team/mark-keierleber/">Mark Keierleber</a></p>

                <img src="/wp-content/uploads/2025/02/los_angeles-cyberattack-in-the-dark.jpg">

                <p>This story first appeared at <a href="/">The 74</a>, a nonprofit news site covering education. <a href="/about/newsletters/?utm_source=republish-button&utm_medium=website&utm_campaign=republish">Sign up for free newsletters from The 74</a> to get more like this in your inbox.</p>
                
<p><em>Kept in the Dark is </em><a href="/article/kept-in-the-dark/"><em>an in-depth investigation </em></a><em>into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes — and subsequent data breaches — have played out in your own community. Here’s what we uncovered about America’s second-largest school district. </em></p>



<p>The Los Angeles Unified School District was ensnared by three high-profile cyberattacks in the last few years, each of which exposed reams of sensitive information online. </p>



<p>Three subsequent class-action lawsuits from parents accused the nation’s second-largest district of taking inadequate steps to protect their children’s personal records — and failing to tell them that sensitive information had been leaked. The district has since taken multiple actions to shield details about the incidents from public view. </p>







<p>The trio of events encompass a September 2022 ransomware attack that exposed students’ highly sensitive psychological evaluations among other records; a January 2022 cyberattack on <a href="/article/after-huge-illuminate-data-breach-ed-techs-student-privacy-pledge-under-fire/">education technology company Illuminate Education</a>, which compromised sensitive information in Los Angeles and districts nationwide; and<a href="/article/whistleblower-l-a-schools-chatbot-misused-student-data-as-tech-co-crumbled/"> a massive June 2024 cyberattack</a> on the cloud computing company Snowflake, a third-party vendor used by the district to store certain records. </p>



<p>Threat actors with the Vice Society cybergang took credit for the September 2022 ransomware attack on L.A. schools, posting the records to its dark web leak site after education officials did not pay its extortion demand. In the aftermath of the attack, Superintendent Alberto Carvalho sought to <a href="/article/trove-of-l-a-students-mental-health-records-posted-to-dark-web-after-cyber-hack/">downplay its effect on students</a>. An  told the local press that students’ psychological evaluations were included in the leak, a revelation Carvalho refuted as “absolutely incorrect.” </p>



<figure class="wp-block-image size-full"><img decoding="async" width="1200" height="720" src="/wp-content/uploads/2024/01/alberto-carvalho-la-schools-charters.png" alt="" class="wp-image-721424" srcset="/wp-content/uploads/2024/01/alberto-carvalho-la-schools-charters.png 1200w, /wp-content/uploads/2024/01/alberto-carvalho-la-schools-charters-300x180.png 300w, /wp-content/uploads/2024/01/alberto-carvalho-la-schools-charters-825x495.png 825w, /wp-content/uploads/2024/01/alberto-carvalho-la-schools-charters-215x129.png 215w, /wp-content/uploads/2024/01/alberto-carvalho-la-schools-charters-768x461.png 768w, /wp-content/uploads/2024/01/alberto-carvalho-la-schools-charters-232x139.png 232w" sizes="(max-width: 1200px) 100vw, 1200px" /><figcaption class="wp-element-caption">Los Angeles schools Superintendent Alberto Carvalho (Getty Images)</figcaption></figure>



<p>“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system but said the “vast majority” of exposed student records involved their names, academic records and home addresses. </p>



<p>An <a href="/article/trove-of-l-a-students-mental-health-records-posted-to-dark-web-after-cyber-hack/">investigation by The 74</a> into the leak uncovered that the breach had, in fact, exposed student psychological evaluations, which contain a startling degree of personally identifiable information about students receiving special education services, including their detailed medical histories, academic performance and disciplinary records. Just hours after our story published, the district acknowledged in a statement that “approximately 2,000” student psychological evaluations — including those of 60 current students — had been uploaded to the dark web. </p>



<p>In a statement to The 74, a district spokesperson said its cybersecurity response protocol “follows a clear, structured process that prioritizes swift internal assessment and adherence to all applicable state and federal data privacy regulations.” The process, the district said, is “designed with transparency, compliance and community trust in mind.”</p>



<figure class="wp-block-image size-large"><a href="/article/kept-in-the-dark/?utm_source=The+74+Million+Newsletter&utm_campaign=136396826d-EMAIL_CAMPAIGN_2022_07_27_07_47_COPY_01&utm_medium=email&utm_term=0_077b986842-136396826d-49062689"><img decoding="async" width="825" height="327" src="/wp-content/uploads/2025/02/data-breach-interactive-the-74-825x327.png" alt="" class="wp-image-739744" srcset="/wp-content/uploads/2025/02/data-breach-interactive-the-74-825x327.png 825w, /wp-content/uploads/2025/02/data-breach-interactive-the-74-300x119.png 300w, /wp-content/uploads/2025/02/data-breach-interactive-the-74-215x85.png 215w, /wp-content/uploads/2025/02/data-breach-interactive-the-74-768x305.png 768w, /wp-content/uploads/2025/02/data-breach-interactive-the-74.png 1500w" sizes="(max-width: 825px) 100vw, 825px" /></a></figure>



<p>Due to the sensitive nature of the information, students may have to “deal with this breach for the rest of their lives,” attorney Ryan Clarkson told The 74. Clarkson represents students and parents in a class-action lawsuit alleging LAUSD failed to act on known cybersecurity vulnerabilities and provided families insufficient notice that students’ personal records had been compromised.  </p>



<p>“It’s hard to bury it, it’s hard to get away from it, it’s kind of part of who we are,” Clarkson said in an interview. “Your psychology as a child is always going to be your psychology as a child.”</p>



<p>While the parents of special education students had been left in the dark about the breach, so too were members of the district’s special education committee. Carvalho acknowledged at a September 2022  that L.A. Unified was a “district under siege” and sought to “dispel rumors” about the incident, including one that multiple attacks had occurred. He didn’t make any statements regarding the impact on sensitive special education records. </p>



<p>Carl Petersen, who served on the committee at the time, told The 74 that Carvalho left the committee members without information about the attack’s ramifications on children with disabilities. </p>



<p>“At that point it was, ‘Oh, this was a very minor thing. We caught them in the system immediately and we shut it down,” said Petersen, who described Carvalho’s comments as part of a larger district effort to obfuscate. </p>



<p>In January 2023 — four months after the attack — L.A. school officials acknowledged in  that sensitive records had been exposed but only listed Social Security numbers included in payroll records and third-party contractor files swept up in the breach. It wasn’t until March 2023 that they disclosed to state regulators the leak had also compromised . </p>



<p>The letter submitted to the California AG’s office doesn’t make clear the types of student records that were affected but urges individuals to “keep a copy of this notice for your records in case of future issues with your child’s medical records.” </p>



<p>The 74 submitted a public records request for information related to the ransomware attack, including complaints submitted to a hotline LAUSD created in its wake, insurance claims, Carvalho’s communications with the FBI and the types of student records that were subject to disclosure. The district denied the requests, stating it could not locate any “non-privileged responsive records,” meaning that they didn’t have to provide any of the records that were responsive because they were legally protected from disclosure. </p>



<p>A week after it was discovered, the school board  to grant Carvalho emergency spending powers to recover from the 2022 Labor Day weekend attack, allowing the schools chief a year to “enter into any and all contracts” to address the incident “without advertising or inviting bids and for any dollar amount necessary.” </p>



<h3 class="wp-block-heading"><strong>‘Shared with the world’</strong></h3>



<p>In August 2023, nearly a year after the attack, Carvalho made a high-profile appearance at the White House, where then-First Lady Jill Biden warned about the growing threat of cyberattacks on students and a need to do more to protect their sensitive data.</p>



<figure class="wp-block-image size-full"><img decoding="async" width="1200" height="720" src="/wp-content/uploads/2023/08/white-house-cyber-security-summit.jpg" alt="" class="wp-image-712924" srcset="/wp-content/uploads/2023/08/white-house-cyber-security-summit.jpg 1200w, /wp-content/uploads/2023/08/white-house-cyber-security-summit-300x180.jpg 300w, /wp-content/uploads/2023/08/white-house-cyber-security-summit-825x495.jpg 825w, /wp-content/uploads/2023/08/white-house-cyber-security-summit-215x129.jpg 215w, /wp-content/uploads/2023/08/white-house-cyber-security-summit-768x461.jpg 768w, /wp-content/uploads/2023/08/white-house-cyber-security-summit-232x139.jpg 232w" sizes="(max-width: 1200px) 100vw, 1200px" /><figcaption class="wp-element-caption">Homeland Security Secretary Alejandro Mayorkas, Education Secretary Miguel Cardona, and First Lady Jill Biden depart a back-to-school K-12 cybersecurity summit at the White House on Aug. 8. (Getty Images)</figcaption></figure>



<p>“If we want to safeguard our children’s futures, we must protect their personal data,” she said at the <a href="/article/white-house-takes-on-urgent-k-12-cybersecurity-threat-at-first-ever-summit/">first-ever K-12 cybersecurity summit.</a> “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”</p>



<p>Carvalho said quick reaction time by the Los Angeles district and federal law enforcement officials set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. His remarks in the East Room didn’t touch on the leak of students’ mental health records but said the number of stolen files “could have been much worse” had officials not acted quickly to prevent the cybercriminals from encrypting additional district systems. One action they had no intention of doing, he said, was paying the undisclosed ransom demand because “we don’t negotiate with terrorists.”  </p>



<p>Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she’s worried that fallout from the data breach could divert money from the services her children with disabilities need.</p>



<p>“I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,” said Harman-Holmes, while acknowledging it “would be very disturbing” if her own child’s psychological evaluations were leaked online. </p>



<p>As L.A. Unified’s response to the attack was being lauded by federal officials at the White House summit, its lawyers were in court with parents who alleged the district’s mitigation efforts weren’t just inadequate — they violated the law. Three separate lawsuits filed in Los Angeles County Superior Court charge the district had insufficient safeguards in place to secure students’ sensitive records and failed to provide enough notice to victims once that information was stolen. </p>



<p>An inspector general’s office audit  highlighted cybersecurity vulnerabilities yet, the complaints allege, LAUSD failed to take the necessary steps to prevent the attack. Parents also charge the district failed to comply with state data breach notice requirements after it learned that students’ psychological records and other files were published online. </p>



<p>The most recent complaint was filed in September 2024 against the district and the company InfoSys, which built and manages the My Integrated Student Information System — the district’s primary student data portal. The district “has stated under oath in discovery responses” that InfoSys managed the student information system that was compromised, according to court records filed by the plaintiffs.</p>



<p>Insufficient cybersecurity protocols allowed the intrusion to go unnoticed for more than two months, the lawsuit alleges, and, once it was discovered, L.A. school leaders failed to provide “prompt and accurate notice of the data breach.” </p>



<p>The breached portal “is currently the largest student data system in the United States,” the 162-page complaint notes, yet district officials “prioritized a race to incorporate technology in classrooms, with no regard for the risks of harboring troves of student data in online databases subject to cyberattacks.” </p>



<h3 class="wp-block-heading">One district, three breaches</h3>



<p>Months before the Vice Society ransomware attack began, Los Angeles student records were exposed in a cyberattack on <a href="/article/illuminate-ed-pulled-from-student-privacy-pledge-after-massive-data-breach/">ed tech vendor Illuminate Education</a>, which affected districts nationwide. LAUSD submitted a breach notice to the California attorney general’s office in May 2022, some unfolded. The report doesn’t disclose the types of information that were exposed or the number of students who had been affected. </p>



<p>Then, in June 2024, a threat actor who goes by the name “the Satanic Cloud” <a href="/article/l-a-schools-investigates-data-breach-as-fcc-approves-200m-cybersecurity-pilot/">posted a listing</a> on a notorious dark web marketplace, seeking $1,000 in exchange for what they claimed was a trove of more than 24 million L.A. school district records. A second threat actor, known as “Sp1d3r” similarly posted a listing for records reportedly stolen from the district with a $150,000 price tag. </p>



<p>The district said school data maintained by a third-party vendor was caught up in a cyberattack on the cloud computing company Snowflake, but officials didn’t disclose the name of the vendor or the types of records that may have been compromised. </p>



<p>The district denied a public records request by The 74 seeking information related to the incident, saying that certain files were protected by attorney-client privilege. </p>



<p>The incident doesn’t appear in a California attorney general’s office database of data breaches.</p>



<aside class="inline_story shortcode simple video_short"><a href="/article/cyberattacks-how-schools-cover-up-data-breaches/"data-shortvid_id="QgP0gbSW6FE"><figure style="background-image: url(/wp-content/uploads/2025/02/CYBERATTACK-THUMB-2.jpg);"></figure><div><span class="sans related_tag">Watch</span><h4 class="sans">Cyberattacks: How Schools Cover Up Data Breaches</h4></div></a></aside>



<p><em>This story was supported by a grant from the Fund for Investigative Journalism.</em></p>

��Ƶ

Contact Us

Follow Us

Explore

Kept in the Dark: Inside a Trio of Los Angeles School Cyberattacks

A 74 investigative series: Meet the hired guns who make sure school cyberattacks stay hidden.

Education news and commentary, delivered right to your inbox.

Most Popular

What a Hallway Sprint Taught Me About Chronic Absenteeism

Why Some Students Don’t Raise Their Hands. How Early Education Can Change That

ICE Raids Caused Enrollment to Drop. Now Districts Are Paying the Price

Five Things to Know About the New Khan TED Institute

Gen Z Increasingly Skeptical of — And Angry About — Artificial Intelligence

‘Shared with the world’

One district, three breaches

On The 74 Today

������Ƶ

Explore

Kept in the Dark: Inside a Trio of Los Angeles School Cyberattacks

A 74 investigative series: Meet the hired guns who make sure school cyberattacks stay hidden.

Education news and commentary, delivered right to your inbox.

Most Popular

What a Hallway Sprint Taught Me About Chronic Absenteeism

Why Some Students Don’t Raise Their Hands. How Early Education Can Change That

ICE Raids Caused Enrollment to Drop. Now Districts Are Paying the Price

Five Things to Know About the New Khan TED Institute

Gen Z Increasingly Skeptical of — And Angry About — Artificial Intelligence

‘Shared with the world’

One district, three breaches

On The 74 Today

��Ƶ