The Los Angeles Unified School District (LAUSD) has confirmed a data breach after threat actors stole student and employee data by breaching the district's Snowflake account.
Snowflake is a cloud database platform used by numerous major companies worldwide for data storage.
Earlier this month, a threat actor began selling data from various companies, including TicketMaster, Santander Bank, Advance Auto Parts, and Pure Storage, claiming the data was stolen from Snowflake. A joint investigation by Snowflake, Mandiant, and CrowdStrike revealed that a threat actor, tracked as UNC5537, used stolen customer credentials to target at least 165 organizations that had not enabled multi-factor authentication (MFA) on their accounts. Once they accessed the accounts, the attackers downloaded all the data and attempted to extort the companies, threatening to sell or leak the data if their demands were unmet.
On June 18, the threat actor known as 'Sp1d3r,' who had previously sold data from other Snowflake breaches, began selling LAUSD's data for $150,000, claiming it was stolen from Snowflake. The stolen data reportedly includes student names, addresses, family information, demographics, financial records, grades, performance scores, disability details, discipline records, and parent information.
After reviewing a sample of the data, LAUSD confirmed to BleepingComputer that it was stolen from its Snowflake account. "As previously stated, on June 6, 2024, Los Angeles Unified became aware of an account from a malicious actor purporting to offer certain student and employee data for sale," a LAUSD spokesperson told BleepingComputer.
"Through its extensive and ongoing investigation, the District has determined that the data in question was maintained by one or more Los Angeles Unified external vendors on Snowflake, a cloud-based platform used for mass data storage, and appears to have been stolen in a manner consistent with recently publicized thefts involving numerous Snowflake accounts."
"So far, the District's ongoing investigation has revealed no evidence of any compromise to our systems or networks; however, the investigation into the scope and extent of the data impacted is ongoing."
LAUSD is collaborating with the FBI, CISA, and its vendors to investigate the incident further.
It appears that more than one threat actor accessed LAUSD's data. Another threat actor named 'Satanic' began selling the district's data almost two weeks earlier, on June 6, for $1,000. This data set is said to contain 26 million records with current and former student information, more than 24,000 teacher records, and around 500 staff records. 'Satanic' has since released this data for free, making it available for any cybercriminal to download and exploit.
However, it is unclear where this data originated, as it does not appear to have come from Snowflake. BleepingComputer reached out to LAUSD to confirm the origins of the data leaked by 'Satanic' but did not receive a response.
Given the massive amount of LAUSD data circulating on hacking forums, all students, teachers, and staff members should consider their data exposed. It is essential to remain vigilant against unsolicited emails, texts, and phone calls attempting to steal additional information, such as passwords, as it is common for threat actors to use leaked data in subsequent campaigns.
