Demanding Transparency

“It’s deeply disturbing that an organization that you’ve entrusted with such sensitive information is either significantly delaying — or even hiding — the fact that individuals had very sensitive information exposed.”

– Doug Levin , K12 Security Information eXchange

During last year’s Labor Day Weekend, the LAUSD was forced to shut down its computer systems after finally discovering a month-long attack by Russian hackers. Seven months later users are still reporting issues with the systems, the Board of Education’s website is labeled as “temporary” and not fully functional, and as of last month “Notice of Data Breach” letters were still trickling out to parents whose children had their medical records released.

Since the attack, Superintendent Carvalho has only seemed to release unfavorable information when pressed with evidence that what he said in the past was not true. The result has been diminishing confidence that the District is handling the crisis appropriately by those affected by the breach. The Northridge Neighborhood Council spoke up on behalf of these constituents in an email sent to the Chair of the Los Angeles City Council’s Neighborhoods and Community Enrichment Committee:

Dear Ms. Eunisses Hernandez:

During the 2022 Labor Day weekend students, parents, and teachers of the LAUSD found themselves locked out of the District’s computer system due to what was later reported to be a cyber attack. In the immediate aftermath of this attack, LAUSD Superintendent Alberto M. Carvalho was insistent that the IT department had immediately recognized the incursion as it was happening in “real-time” and were able to immediately bring the systems down to protect against additional damage. He also stated that the district’s computers were attacked “one time, not more than one time” and warned that those disseminating a different timeline had “garnered the attention of federal authorities.”

In October an anonymous source from law enforcement revealed that sensitive information had been obtained by the hackers including “confidential psychological assessments of students” and “personal identifying information, including some social security numbers.” In response, Superintendent Carvalho went before the press to state that these reports were “absolutely incorrect.” He assured the public that “we have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly”.

By January, the Superintendent’s narrative about the timeline of the attack had begun to fall apart. Instead of a “one-time” attack, the intruders had been in the LAUSD’s systems for over a month before they had been detected. The cyberattack that supposedly had “began and ended on September 3, 2022,” had actually accessed the District’s systems “between July 31, 2022, and Sept. 3, 2022.”

A report released in February by “The 74” revealed that files posted on the Dark Web by Russian hackers were “among the most sensitive records that schools keep about children with disabilities.” This information included “detailed and highly sensitive mental health records of hundreds — and likely thousands — of former Los Angeles students”, including “psychological evaluations”. In the aftermath of this report, the LAUSD was forced to admit that “that 'approximately 2,000' student psychological evaluations — including those of 60 current students — had been uploaded to the dark web.”

On March 15, 2023, the Northridge East Neighborhood Council (NENC) voted unanimously to support the following resolution drafted by the Education Committee:

“The NENC expects the LAUSD Board and Superintendent Carvalho to exercise full transparency regarding all intrusions (hacks) into the District’s computer systems. We expect the District to act in good faith and immediately disclose to affected parents, students, employees, and contractors the extent of the breach and assist them in limiting potential damages.”

After this resolution was passed, additional teachers and students revealed that they had received “Notice of Data Breach” letters from the District. The letter that I reviewed warned the parent that “one or more files that included your child’s name and medical information” was identified in a “review of the files involved”. It did not say if the child’s information was actually found on the Dark Web or if it was simply in a file that was known to be compromised.

The NENC urges the Neighborhoods and Community Enrichment Committee to join us in expressing to the LAUSD Board and Superintendent Carvalho that full transparency is immediately needed regarding the intrusion into its systems. The District must also assist those who were affected to limit potential damages.

Thank You,

Carl Petersen

NENC Education Committee Chair

____________________________

Carl Petersen is a parent advocate for public education, particularly for students with special education needs. He was elected to the Northridge East Neighborhood Council and is the Education Chair. As a Green Party candidate in LAUSD’s District 2 School Board race, he was endorsed by Network for Public Education (NPE) Action. Dr. Diane Ravitch has called him “a valiant fighter for public schools in Los Angeles.” For links to his blogs, please visit www.ChangeTheLAUSD.com. Opinions are his own.