720-891-1663

Update on Los Angeles School District Massive Data Breach

Earlier this month the Los Angeles Unified School District (LAUSD) was hit by a cyber attack. The breach affected 24 million students and about 50,000 teachers. Now we are learning more about it.

  1. The LAUSD is blaming a vendor. Nothing new there. It is not our fault; it is the fault of the vendor that we vetted, we chose and we managed. That won’t fly very far in the lawsuits that will no doubt happen.
  2. The vendor says it is the fault of the Snowflake vulnerability. Remember, Snowflake is a hosting provider, like, say Amazon, that is designed to support really intense data analytics. It is the source of the Ticketmaster breach, Santander bank breach, Pure Storage breach, now the LAUSD breach and about 160 more that have not fessed up yet. Snowflake says that they were not breached. They blame their customers crappy cybersecurity practices. While it is generally bad form to blame your customers, in this case, it certainly could be accurate. Cyber forensics firm Mandiant said that for virtually all of the Snowflake customer breaches they looked at, the customer was not using multifactor authentication. Perhaps you can blame Snowflake for allowing this, but in reality, this is the customer’s fault. That excuse won’t fly very far either.

For students, the data includes:

  • Gender
  • Ethnicity
  • Zip code
  • City
  • Date of birth
  • ID number
  • School names
  • School phone numbers
  • Phone numbers
  • Email addresses
  • Home addresses
  • Home location coordinates
  • Immigration status
  • Parent ID number
  • Student ID numbe
  • Full names
  • City and country of birth
  • Full parent details
  • and, a lot more

For teachers, similar data was breached but more teacher specific data.

Part of the problem is that businesses never met a piece of data that they did not want to keep.

Let’s assume that roughly 25 million records were compromised.

The approximate number of students enrolled in LAUSD schools is a bit less that a half million.

That means that they had 50 times the number of records spinning around than there are students in school.

Why?

Because we can. And we might, possibly, be able to use it some day.

Legally this is likely to get very messy for two reasons. First, we are talking about data on 25 million CHILDREN. Courts are not going to look favorably on that kind of breach. Second, this is not a typical breach of a social security number or credit card number. This is the kid’s home address. Their parent’s information. Their phone numbers. A bunch of other very personal data. In an extreme case, this could get people killed. Generating more lawsuits.

Separately, I got an email from Ticketmaster saying my data was compromised in their Snowflake breach. I’m not sure, but I am guessing the last time I bought a ticket from Ticketmaster was probably 15-20 years ago. Why do they need to keep my information?

I guess it is because they like being sued. That is the only logic I can come up with. Clearly, if I have not bought a ticket from them in the last 15-20 years, I am not a customer and not likely to buy a ticket from them in the next 15-20 years.

Businesses need to consider whether they need particular data at all and if they do, is there a better way to secure it.

Unless, of course, you want to help the economy and keep a bunch of lawyers employed for years. It is your choice.

If you need help with data retention decisions, please contact us.

Credit: Hackread

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *