Top Lessons from One of the Biggest Recent K-12 Cyberattacks

A look at key successful steps Los Angeles Unified School District took to mitigate damages during a highly publicized 2022 data security attack. 

Protecting your important student and school data is an ongoing activity. Cybersecurity measures should be always on. You should always be preparing for new and emerging threats. And you’re always learning from others and other incidents. Gaining insight from others who have experienced cyber threats and attacks can help you see what they went through, actions they took, and what lessons they learned. By doing so, you can implement real-world best practices to improve your own security measures.  

One recent 2022 data breach at Los Angeles Unified School District (LAUSD) highlights how being prepared, taking quick actions, and implementing best practices helped mitigate damage at the U.S.’s second largest school district. Rich Gay, PowerSchool’s Chief Information Security Officer, recently spoke with Jack Kelanic, LAUSD’s Senior Administrator/IT Infrastructure, about the cyberattack to see what lessons the district took away from the event.  

You can watch the full conversation in this on-demand webinar on moving to the K-12 cloud.   

Be Prepared: How a Quick Response Mitigates a Cyber Attack’s Impact 

 The cyberattack at LAUSD took place on Saturday night over the long Labor Day weekend. The district was fortunate to have systems and staff in place to constantly monitor its technology systems, even after hours. LAUSD was also prepared to take quick, decisive action once the attack was detected with a 24/7 response team.  In the middle of the night, a district Network Operations Center technician noticed an alert on the console and escalated it to the director of data center operations.  

“Every minute mattered in our response,” says Kelanic. “Within an hour, we deployed our systems engineers, our cybersecurity team, and network team—all dispatched in the middle of the night.”  

The district made a bold decision to quickly shut down all its outbound network traffic and lock all user accounts because, at that point, they weren’t sure how deep the attack had gotten. Within 24 hours, LAUSD deployed its cyber insurance, contacted local law enforcement, and had professionals from multiple agencies on site or en route to Los Angeles to help.  

“We also engaged our private sector partners—vendors like PowerSchool and other longstanding technology partners who all dove right in, working side by side with us day and night,” says Kelanic.  

Fewer than 1% of servers were impacted and cyber attackers weren’t able to commandeer critical systems like the district’s student information system (SIS) or its ERP financial system. The district validated its technology system and made sure they were clear within 48 hours of the initial attack.

“Cyber criminals look to attack you when they know you’re not watching. Because we responded so quickly, it mitigated the impact and success for the attacker. We didn’t miss any school, lose any data, or lose any systems,” Kelanic says.  

“Don’t Go It Alone”—Why Enlisting Cyber Incident Support is Critical 

The district felt very supported by local and federal law enforcement and its vendors. Even organizations that don’t do business with LAUSD reached out to see how they could support the district throughout the event. Many of the services and partnerships of cybersecurity professionals proved so valuable that the district opted to retain those vendors for possible future events.  

“I’ve seen alarming stats that somewhere between 60 and 87 percent of organizations that suffer cyberattack fall victim to a subsequent attack,” says Kelanic. “We wanted to be mindful to do everything we could to protect ourselves moving forward.” 

During the response, LAUSD assembled an advisory panel of technology leadership and cyber experts from throughout the U.S. and around the globe. Kelanic says that many participants donated their time, and everyone gave input and feedback as LAUSD developed its plans.  

“There’s help and support available and you don’t need to go it alone, especially considering this isn’t our everyday job. Cybersecurity and incident response is a team sport,” advises Kelanic. “Cyber incident support is a bit of a niche, and there are people who do this work and are good at it.”  

Look for These Short-Term Wins to Immediately Improve Your Security 

During the incident response, LAUSD developed a mindset of “recover forward.” Kelanic says their goal was to take advantage of every opportunity they could to tighten their security posture.  

“We didn’t want to just restore services to the condition they were before the attack. We wanted to do better—and fast,” says Kelanic.  

Here are some of the initial steps the district took to quickly bolster its cybersecurity: 

• Deploy multi-factor authentication (MFA)—Kelanic says, “The number of compromised accounts on a daily basis has decreased tremendously just by deploying MFA.” 
• Improve remote access security—making sure they were managing every connection into and out of their data center. “It creates a little bit of pain to your firewall protection and the overall user experience,” Kelanic says, “but in this moment, we felt that was a value add to our organization.” 
• Improve firewall—tightening up the district’s firewall rules.  
• Password security—the district implemented password resets for all students and employees. “We went through the entire organization and reset passwords because we weren’t sure exactly which accounts were potentially compromised at that point,” says Kelanic. 
• Endpoint protection—LAUSD moved quickly to deploy advanced endpoint protection across hundreds of thousands of endpoints in the organization to ensure they could manage and monitor all activity.  

Advantages of Cloud-based Hosting: Less Risk and More Security and Cost Savings 

Moving to cloud-based hosting of applications can reduce risk, increase data security, and decrease total cost of ownership. Cloud hosting can offer 24/7/365 monitoring and increased uptime and reliability of your applications.  

LAUSD’s goal with cloud hosting and cybersecurity has been one comprehensive roadmap: accomplishing resilience and a better cybersecurity posture while also decreasing its reliance on physical infrastructure and its own data centers. The district is in the process of implementing a multi-cloud strategy working with all three major cloud providers to establish different services and cloud platforms.  

The process has involved migrating its major SIS and ERP systems to the cloud. “These are big initiatives,” says Kelanic, “But it’s important to get these Tier 1 applications that have to run every day into the cloud as quickly as we could to protect the crown jewels.” 

The district is also moving security, identity and access management, and data analytics to the cloud.  

“PowerSchool has made significant investment in our cloud and our application security,” adds Gay. “It’s extremely important that we protect your data and systems. We have a dedicated team of security professionals and we’ve invested in the cloud at significant scale.”  

How Gaining Early Cybersecurity Buy-in from Leadership Pays Off 

Part of LAUSD’s preparedness before the 2022 event including honest and transparent discussions of its cyber risks, posture, and vulnerabilities with all levels of leadership, including the superintendent, school board, and executive leadership.  

“Our CIO had those conversations well in advance of the event ever happening. Then the event brought new opportunities to engage in those types of conversations,” says Kelanic.  

Since the 2022 event, LAUSD has been building its forward plan which has included socializing details with all appropriate levels of leadership.  

“When we vetted the plan, no one has pushed back and said, ‘Can you do it cheaper?’ Instead, they say, ‘Can you do it faster?’ People now get the importance of cybersecurity,” says Kelanic. 

For those who may resist significant cybersecurity measures, Kelanic suggests focusing on the potential outcomes. “We were fortunate with how things worked out and the overall impact wasn’t devasting to our business, but many organizations have had a tougher time. Think about what it would look like if you lost all of your student records over the last 20 to 25 years. You couldn’t prove that a student had graduated. There are major impacts when you think about education and the type of data that you hold. When you frame those discussions that way, leadership gets it.”