EDITOR'S NOTE: Multimedia journalist Lydia Pantazes spoke with an LAUSD teacher and a Cal State San Bernardino professor about the cyberattack. Click the arrow above to watch the video.
LOS ANGELES (CNS) — The Los Angeles Unified School District was experiencing a "fairly normal school day" Tuesday following a weekend cyberattack on its information technology systems that has led to a federal investigation and instructions for teachers, staff and students to change their district passwords, LAUSD Superintendent Alberto Carvalho said at a news briefing.
All "indispensable" systems were active Tuesday morning, with Carvalho expecting a protracted and collaborative investigation by federal, state and local authorities into the matter. The only system down was facility systems, which manages contracting procurements.
"We are in a far better position than we anticipated being just this morning," Carvalho said.
The district contacted federal officials over the weekend, prompting the White House to mobilize a response from the U.S. Department of Education, the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, according to the LAUSD.
Carvalho said the district was attacked with a ransomware tool but has not received a ransom demand. Officials detected unusual activity Saturday night from an external entity, prompting the district to deactivate all its systems in an "unprecedented" move.
"We did not know at that time what areas were targeted, what entity was targeting us," Carvalho said. "We were unaware how deep, how complex this incident, this action, was. So, as a matter of protection, we basically shut down every one of our systems."
The decision was "the right call at the right moment" because it restricted the damage of the cyberattack, according to Carvalho.
Carvalho said that by late Monday night, the district confirmed that all key systems would be active Tuesday morning, allowing the district to proceed with starting school as normal following Labor Day.
District officials described the incident as "likely criminal in nature," and said they were assessing the situation with law enforcement agencies.
Schools opened as scheduled Tuesday despite "significant disruption to our system's infrastructure," according to the district.
The attack temporarily interfered with the LAUSD website and email system. But officials said employee health care and payroll were not impacted, nor did the cyber incident impact safety and emergency mechanisms in place at schools.
They added that some food or Beyond the Bell services and business operations may be delayed or modified.
On Tuesday, the district announced that all students and staff will need to change their lausd.net passwords, but it set specific times for when those changes should be made, and stressed the change "must be completed at a district site."
To minimize wait times while the changes were being made, the district set a schedule of 7 a.m. for administrators and teachers, 9 a.m. for support staff, 10 a.m. for high school students and 11 a.m. for elementary/middle school students.
Around 9:30 a.m., Carvalho tweeted that roughly 53,000 passwords had been reset without any issues. But there were still tens of thousands to go.
"That has been the biggest challenge, is the resetting of passwords," Carvalho said. "We depend on a limited number of servers. The bottleneck effect is real."
Officials have also been monitoring the city's email system, according to Mayor Eric Garcetti.
"We have not discovered any dark web chatter or information at this time but we continue to monitor that," Garcetti said.
Carvalho said that the goal was to continue with classes to the greatest extent possible.
"After two-plus years of a pandemic that has truly robbed many of our kids' educational opportunity, has interrupted learning, we wanted to resume the schooling process as quickly as possible," Carvalho said.
District officials said they immediately established a plan of action to provide protection in the future, "informed by top public and private sector technology and cyber security professionals."
The plan includes the following actions:
- Independent Information Technology Task Force: Charged with developing a set of recommendations within 90 days, including monthly status updates;
- Additional human resources: Deployment of IT personnel at all sites to assist with technical issues that may arise in the coming days;
- Technology investments: Full-scale reorganization of departments and systems to build coherence and bolster data safeguards;
- Advisory council: Charged with providing ongoing advisement on best practices and systems, including emerging technological management protocols;
- Technology adviser: Directed to focus on security procedures and practices, as well as conduct an overall data center operations review that includes an assessment of existing technology, critical processes and current infrastructure;
- Budget appropriation: Directed appropriation of any necessary funding to support Information Technology Division infrastructure enhancement;
- Employee training: Develop and implement mandatory cybersecurity responsibility training;
- Forensic review: Expand ongoing assistance from federal and state law enforcement entities to include a forensic review of systems;
- Expert team: Creation and deployment of an expert team to assess needs and support the implementation of immediate solutions.