Last week, the Los Angeles Unified School District changed the official timeline of last year’s ransomware attack, more than four months after the incident was first published.

The district is changing the scope of its high-profile data breach after an investigation showed the initial point of intrusion happened more than a month earlier than expected.

The threat actor accessed and exfiltrated files on its servers between July 31 and September 3, 2022, the district said in a data breach notice filed last week with the California Department of Justice.

The violation did not occur, as the district originally claimed, over Labor Day weekend. The new details indicate that the ransomware group breached district systems and remained undetected for a month.

“Breaches usually go undetected for so long simply because the victimized organization is not well protected,” said Michela Menting, research director at ABI Research, via email.

Threat actors need to find a weak spot, while victim organizations need to invest in cybersecurity professionals and tools and develop a comprehensive prevention, detection and response plan.

“All of these factors combine to make it particularly difficult to respond quickly and effectively to threats,” Menting said. “Organizations need money, time and resources for cybersecurity, which public sectors lack even more than the private sector.”

These challenges are particularly frustrating in education where IT systems and infrastructure are designed to be open and available to faculty and students.

“Due to the open nature of the infrastructure, there is increased risk,” Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, said via email.

Without proper resources, organizations often don’t have full visibility into their infrastructure or vendor ecosystem, making it difficult to quickly identify threats or compromises, Janssen-Anessi said.

Details emerge on a high-profile ransomware attack

The cyberattack on the Los Angeles school system, for which Vice Society later claimed responsibility, was the highest-profile and most damaging cyber incident in the education sector last year.

Vice Society stole about 500 gigabytes of data and posted about 250,000 files on the dark web, some containing social security numbers, contracts, W-9 tax forms, bills and passports, according to data observed by the threat researchers at Check Point.

Los Angeles District officials said there was no response to the ransom demand.

It is not uncommon for the timeline of a cyberattack to change upon further investigation, and the same is true for the extent of the compromise.

LAUSD said its investigation was continuing, but on Jan. 9, it identified labor compliance documents and certified payroll records implicating contractors who worked on Facility Services Division projects. The files contained the names, addresses and social security numbers of employees of contractors and contractors, the district said in the data breach notice.

“Initial delays are often a rushed analysis based on partial data,” Andrew Hay, COO at Lares Consulting, an information security consultancy, said by email.

“It is only once the analysis of the incident has been completed that a precise timetable can be established. Hindsight, as they say, is 20/20,” Hay said.

A precise timetable is essential, but post-offence investigations are complex and many factors can delay the veracity of relevant details.

“The longer a threat actor is able to stay on the infrastructure, the more havoc they can wreak,” Janssen-Anessi said.

“Speed ​​is important after a breach, and the goal should be to find out as soon as optimally possible,” Janssen-Anessi said. “Unfortunately, more often than not, this is not the case. Cyberattacks are complicated, and threat actors are continually honing their skills, making every attack nuanced. »

Source link

Leave A Reply