Cyber Incident Victim: Los Angeles Unified School District
Date:
Sep 2022
Location:
United States of America
Summary
The Los Angeles Unified School District, the second largest in the U.S., experienced a ransomware attack disrupting its IT systems, including email and application access. The district collaborated with federal agencies and law enforcement, including the FBI and CISA, to investigate and mitigate the incident while maintaining critical operations such as instruction, transportation, food services, payroll, and emergency mechanisms. Immediate response measures included deploying IT personnel across sites, establishing an independent task force for security recommendations, initiating cybersecurity training, and setting up support hotlines for students, staff, and families. Business operations faced potential delays, but systemic safeguards and forensic reviews were prioritized to enhance infrastructure protections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Los Angeles Unified School District (LAUSD), the second-largest public school district in the United States serving over 640,000 students across Los Angeles and 31 municipalities, experienced a ransomware attack targeting its Information Technology (IT) systems during the Labor Day holiday weekend in early September 2022. LAUSD first detected unusual activity in its IT infrastructure over the weekend, with technical disruptions becoming apparent on September 3-4, 2022. By September 5, the district confirmed the incident as an external cyber attack of criminal origin that disrupted access to critical systems including email servers, computer systems, and applications. Despite the widespread technical disruption, LAUSD announced that all schools would open as scheduled on September 6 following immediate implementation of response protocols to maintain core educational functions.
The district engaged multiple law enforcement and federal agencies within hours of detection, including local police, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA). At LAUSD's request, the White House coordinated a joint response effort involving the Department of Education, FBI, and CISA to provide rapid incident response support. Federal investigative and technical experts were deployed on-site to collaborate with LAUSD's IT division on containment and forensic analysis. While critical systems like payroll processing, employee healthcare, school safety mechanisms, and emergency services remained operational, the attack caused delays and modifications to routine business operations. LAUSD initiated a comprehensive mitigation strategy including the creation of an independent IT Task Force to deliver security recommendations within 90 days, immediate deployment of IT personnel to all school sites, mandatory cybersecurity training for employees, and budget appropriations for infrastructure enhancements. The district maintained uninterrupted student instruction, transportation, food services, and Beyond the Bell programming through adaptive measures such as manual attendance collection and dedicated hotlines for technical support. No evidence suggested compromise of student or employee data during the incident, though the district committed to ongoing system-wide protective assessments with federal partners and private cybersecurity experts to strengthen defenses against future attacks.