FBI, DHS join probe into massive LAUSD cyberattack as school goes on

A man stands at a lectern while other people stand behind him.
Alberto Carvalho, superintendent of the Los Angeles Unified School District, speaks about the cyberattack at the Edward R. Roybal Learning Center on Tuesday.
(Francine Orr / Los Angeles Times)
Share via

The cyberattack that disabled computer systems across the Los Angeles Unified School District school was criminal in nature, but by Tuesday most online services — including key emergency systems — were operating safely,

Although the attack was carried out with a “ransomware tool,” the nation’s second-largest school system has not received a ransom demand, L.A. schools Supt. Alberto Carvalho said.

An investigation involving the FBI, the Department of Homeland Security and local law enforcement is under way, underscoring the seriousness of the attack, which was detected at 10:30 p.m. Saturday.


Besides taking the district’s website offline, the attack resulted in staff and students losing access to email. Systems that teachers use to post lessons and take attendance also went down. Carvalho said no Social Security numbers or medical information was stolen.

A man stands at a lectern as a man in suit and a man in police uniform stand behind him.
Carvalho with Los Angeles Mayor Eric Garcetti, left and Police Chief Michel Moore.
(Francine Orr / Los Angeles Times)

Authorities moved to shut down many of the district’s most sensitive platforms over the weekend as the attack was underway.

“By shutting down all the systems, we were able to stop the propagation of this event ... restricting its potential damage,” Carvalho said. “That was the right call at the right moment.”

By late Monday night officials determined hat the most vital systems were usable and Carvalho decided to open schools as scheduled on Tuesday.

“No. 1, we are experiencing a fairly normal school day and that was our intent,” Carvalho said in a news conference at the Roybal Learning Center, just west of downtown.


The district’s technical staff, aided by federal and local law enforcement and other government experts, evaluated the threat and damage before gradually restoring systems.

Carvalho described the attack as launched by a “ransomware tool that temporarily disabled systems, froze others and had access to some degree of data.”

Investigators, he said, have advised him to provide few details about the nature of the attackers as the breach is under investigation.

Among the major challenges Tuesday morning was a need for every student and employee to change their passwords. Carvalho said an initial glitch thwarted efforts to make this fix until about 9 a.m. Within minutes after that, he said, the number of reset passwords soared from about 5,000 to more than 50,000.

An 8 a.m. update included a staggered scheduled for changing passwords, with administrators and teachers going first, followed by support staff, high school students and finally elementary and middle school students.

For nearly everyone, the password must be changed at a district site, but an exception will be made for 7,000 students in full-time remote learning. These students and parents can use the district tech-help hotline — although the wait could be long, Carvalho said.


The district’s webpage was partially restored by early Tuesday morning, but the Board of Education page, which lists meetings and provides agendas and public reports, was still down in the early afternoon.

The district did not announce the attack until Monday night because, Carvalho said, a critical assessment and response was in progress and because the release of information had to be vetted through different agencies with a role in the investigation.

“Business operations may be delayed or modified,” the district stated in the initial release. However, “based on a preliminary analysis of critical business systems, employee healthcare and payroll are not impacted. Nor has the cyber incident impacted safety and emergency mechanisms in place at schools.”

But teachers continued to have problems with system Monday morning. One teacher reported that she was unable to log in. “Some teachers are under the impression they can change their LAUSD password, then log in, but the password site is down,” said one teacher.

“I am unable to do my job, which is to assure students are present in school,” an attendance counselor reported. “We do have paper attendance we will be collecting, but I would usually call home or go on home visits to find out students’ whereabouts. Unfortunately, with not having access to their information, I will not be able to find out where those students are. As it is, after the pandemic, we have been working hard to find students.”

Officials said they have been working around the clock to solve the multilayered problem.

“The White House brought together the Department of Education, the Federal Bureau of Investigation [FBI] and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency [CISA] to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies,” the district announcement said.


When the district acknowledged the attack, officials also announced an array of measures to improve cybersecurity going forward. These measures, the district said, “have been taken, will be taken immediately or will be implemented as soon as feasible.”

The list includes:

  • Setting up an independent Information Technology Task Force. It would be charged with developing recommendations within 90 days and providing monthly updates.
  • Deploying technical staff across the vast school system to assist with issues that arise in the coming days
  • Reorganizing departments and systems “to build coherence and bolster data safeguards”
  • Appointing an expert technology advisory council and naming a technology advisor who will focus on security procedures and practices as well as an overall data center operations review
  • Adding budget dollars as needed and improving employee training
  • Analyzing systems with help from federal and state law enforcement

In recent times, hackers have targeted businesses and public agencies, including schools — seeking ransom or simply to cause mayhem. A notable local attack targeted the Newhall school system in 2020.

Cyberattacks come in various forms, including the theft of private information with the potential to be misused at a later date. In May, the Chicago public school system announced that a massive data breach exposed four years’ worth of records of nearly 500,000 students and just under 60,000 employees.

The attack targeted a company that stored teacher evaluations and basic student information — including dates of birth — but no financial records or Social Security numbers, according to the school system.

A separate recent cyberattack, targeted a company, Illuminate Education, whose clients include L.A. Unified, and whose services, according to its website, reach “more than 17 million students” in 5,200 schools and school districts.

L.A. Unified has had a few major internal computer fails — especially related to intended upgrades. In one instance, the payroll system malfunctioned, resulting in underpayments and overpayments that took years to resolve. In another episode, a new student information system made students’ academic records and class schedules unavailable.


National assessments show that 9-year-olds suffered big drops in reading and math scores, with students who were already struggling seeing the biggest decline.

Sept. 2, 2022

Before the nature of the attack was made clear, a post on the local Parents Supporting Teachers Facebook page suggested making the best of the situation:

“LAUSD staff who thought they’d get some work done today are forced to relax due to a districtwide outage. Enjoy it!”

Parents and teachers reported a variety of problems on social media.

“Apparently everyone I’ve talked to/texted with says when they try to log on they are being instructed to change their Google password, saying it’s outdated… then when they do, it locks them out,” one person reported.

A teacher posted: “Everything that requires an lausd log-[in] is down for the count!!”

Other staff members also reported, referring to the Schoology system that is integral to posting and receiving assignments:

“My computer was logged into both schoology and my drive (before outage) and I have access. I can’t get into other sites and I’m not logging out for fear of being locked out.”

Another teacher had been planning to catch up on Monday: “Confession... I didn’t finish my lesson plans. The only good thing is that I have my Teacher guides downloaded, and all my slides.”


Said another: “EVERYTHING is on google drive. This is very frustrating. Praying my drive is restored!”