Los Angeles Unified School District (LAUSD) officials are investigating a threat actor's claims that they're selling stolen databases containing records belonging to millions of students and thousands of teachers.

LAUSD is the second largest public school district in the United States, with over 25,900 teachers, roughly 48,700 other employees, and more than 563,000 students enrolled during the 2023-2024 school year.

The threat actor selling the allegedly stolen data for $1,000 says the CSV files put up for sale on a hacking forum contain over 11GB of data, as first spotted by Dark Web Informer. These files are said to include over 26 million records with student information, more than 24,000 teacher records, and around 500 containing staff information.

They also shared two data samples containing roughly 1,000 student records with Social Security Numbers (SSNs), addresses, parent addresses, email addresses, contact information, and dates of birth as proof that the information was legitimate.

Researchers who analyzed these samples told BleepingComputer that the sold data appears legitimate but could be old, as the dataset does not include recent dates. However, the threat actor only shared a small sample of the allegedly stolen data, so there may be new information that has yet to be shared.

BleepingComputer contacted LAUSD earlier today to confirm the threat actor's claims and was told that the public school district is investigating. After the article was published, the school district sent a follow-up statement saying that law enforcement had also been informed and is now helping with the investigation.

"Los Angeles Unified has become aware of an account from a malicious actor purporting to offer certain district data for sale," an LAUSD spokesperson told BleepingComputer.

"The District is investigating the claim and engaging with law enforcement to investigate and respond to the incident. As always, we prioritize the privacy of our students, families and employees."

Alleged LAUSD stolen data for sale online (BleepingComputer)

​Vice Society ransomware attack

LAUSD was also hit by a ransomware attack in September 2022, over the Labor Day weekend. The Vice Society gang claimed the breach, saying they also stole 500GB of files before encrypting the district's systems.

On the day LAUSD disclosed the incident, the FBI, CISA, and MS-ISAC also issued a joint advisory warning that Vice Society was disproportionately targeting education organizations.

After the attack, LAUSD asked all employees (including teachers, support staff, and administrators) and students to reset their @LAUSD.net account credentials in person at a district site and expedited the rollout of multi-factor authentication.

Almost one month after the attack, Vice Society published the stolen LAUSD data on their dark web leak site, including what a law enforcement source described as "confidential psychological assessments of students, contract and legal documents, business records, and numerous database entries."

The leak came after the district announced that it would not pay the ransom demanded by the ransomware gang because it wouldn't guarantee the full recovery of data and "public dollars are better spent on our students."

It is unclear at this time if the data currently being sold on the hacking forum is linked to the data stolen by Vice Society.

Update June 07, 11:29 EDT: Added LAUSD statement.

Related Articles:

Vice Society claims LAUSD ransomware attack, theft of 500GB of data

Europol confirms web portal breach, says no operational data stolen

Infosys McCamish says LockBit stole data of 6 million people

Dairy giant Agropur says data breach exposed customer info

Los Angeles Unified confirms student data stolen in Snowflake account hack