IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Out of Crisis, Opportunity: LAUSD's Fight Back From the Ransomware Brink

What could have been a digital quagmire for California’s largest school district served as a chance to hone cyber response and gird its more than 250 applications used by some 1.6 million users.

Los Angeles Unified School District CIO Soheil Katal speaking during the AWS Imagine conference in Sacramento, Calif., July 12.
Los Angeles Unified School District CIO Soheil Katal speaks during the AWS Imagine conference July 12 in Sacramento, Calif.
Eyragon Eidam/Government Technology
SACRAMENTO, Calif. — When cyber criminals punched into Los Angeles Unified School District’s systems over Labor Day weekend in 2022, the CIO was awakened by the early morning call everyone in IT dreads: “There’s movement in the network.”

That initial alert was followed by the scramble to secure connected assets and get a clearer picture of the rapidly evolving cyber incident, LAUSD CIO Soheil Katal told attendees of the AWS Imagine conference July 12.

What could have been a crippling blow to the district and its 670,000 students served instead as a valuable opportunity for all involved to prepare for the next crisis, he said, characterizing the incident as unsuccessful. “If it was successful, I wouldn’t be here,” he joked.

“We were able to contain the threat within the first hour or second hour, but really it was a battlefield to get it done,” Katal said. For every missed school day, the district was set to lose millions of dollars in state funding, not to mention the disruption to meal services, transportation and other critical operations. Because the team was able to stabilize the situation, classes resumed as usual after the holiday weekend.

Cyber attacks are now expected as part of doing business for schools around the world. In the U.S., a lack of IT resources, budget limitations and the sensitive data of children make the education sector a prime target for ransomware groups. Successful attacks often cost far more than ransom — privacy, credibility, insurance rates, downtime and a laundry list of other negative impacts must also be reconciled, Katal said.

From the time of the initial call, LAUSD staff worked to completely lock down the network, isolating the opportunity for data thieves to move around. The FBI and CISA were in contact immediately and on site within 24 hours.

“Minutes count,” Katal repeated throughout his presentation.

The speedy reaction from the district IT team and partners left valuable evidence intact, unlike some other high-profile attacks where thieves locked, or rather encrypted, the door behind them.

“For us, we were lucky, we were able to contain the system and we were able to share a lot of IOC (indicators of compromise) intelligence net resources with these agencies,” he said.

The strategic response is what saved the district from an enormous and extremely sensitive data exposure. Of the 16 petabytes of data under the district’s control, only around 400 gigabytes — roughly the storage capacity of a laptop — was actually lost to attackers, Katal said.

It should come as no surprise that the largest district in the state would be a tempting target for cyber criminals: 250 applications, 1.6 million active directory users and some 130,000 networked devices. It’s a big and potentially lucrative target, Katal admits, noting that 33.5 million attempted malware attacks are launched against their systems each year.

Adding to the challenges is the fact that not every network user in the district can be trained to the same level. Students often struggle with — or worse, don’t care about — the importance of strong password protections or avoiding suspicious links and questionable downloads.

“That’s why you need to complement with a lot of other strategies beyond that to protect K-12,” Katal said.

Unfortunately, the odds are not in LAUSD’s favor when it comes to the potential for a re-breach, though Katal said he is confident the district is more prepared than ever. New resources, governance and strategies are in place to avoid joining the roughly 80 percent of organizations that get hit with ransomware within a year of their first attack.

“I’m waiting for August, but I’m protecting my system to make sure it’s not going to happen to me,” he joked.

His advice for those who find themselves receiving the same dreaded late-night call he got: “Protect yourself and avoid paying the ransom, that was the lesson No. 1 we learned from the FBI, from CISA and everybody else,” he said. “No matter what, your data is going to leak on the dark web, one way or another. Never trust a bad actor.”
Eyragon Eidam is the web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at