Snowflake-Linked Breach Strikes Los Angeles School District

The latest in a long list of companies and organizations breached through Snowflake accounts, the Los Angeles school board said thousands of students’ data was stolen.

Shane Snider , Senior Writer, InformationWeek

June 24, 2024

2 Min Read
Phishing, cyber security, online information breach or identity theft crime concept
Tero Vesalainen via Alamy Stock

The Los Angeles Unified School District (LAUSD) has confirmed a breach that includes current and former student names, addresses, financials, grades, performance scoring, disability information, discipline details, and parent information.

A threat actor, Sp1d3r, has offered the database for sale on a dark web forum for $1,000. According to the California Department of Education, LAUSD currently has 529,902 students enrolled in grades K-12 at 778 schools. The breach happened in late May -- the school system confirmed via statement to Bleeping Computer.

“So far, the district’s ongoing investigation has revealed no evidence of any compromise to our systems or networks; however, the investigation into the scope and extent of the data impacted is ongoing,” a spokesperson said, adding that the district is cooperating with the FBI, CISA, and related vendors as the investigation continues.

The threat actor says it has 11GB of stolen sensitive data, which includes 26 million records with student information, more than 24,000 teacher records, and data from around 500 staff members.

The threat actor appears to be associated with the same group responsible for other Snowflake related attacks on Ticketmaster, Santander Bank, Advance Auto Parts, Pure Storage, and others. Operating as “UNC5537” cybercriminals were able to use malware and infostealer software on a large scale using unguarded Snowflake accounts.

Related:Snowflake Scrambles to Enforce MFA as Breaches Pile Up

An investigation from Mandiant and CrowdStrike says up to 165 Snowflake customer accounts may have been compromised and blamed the breaches on disabled multifactor authentication (MFA) protection. Snowflake did not have a mechanism for companies to enforce multifactor authentication for users. Snowflake has since said it will begin enforcing MFA on accounts.

“UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique or procedure,” Mandiant said in its report. “This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials.”

School districts are increasingly being targeted for cyberattacks. According to a report from EMISOFT there were 108 cybersecurity incidents in 2023, compared to 45 incidents a year earlier.

Cybersecurity experts say organizations must make data hygiene a top priority with MFA and other protections at top-of-mind. “The big lesson learned here is one of hygiene,” Jay Mar-Tang, field CISO with Pentera, said in an email. “Multifactor authentication is a foundation concept of the zero-trust framework and should always be enforced on accounts. If your cloud partner or service provider isn’t enforcing it, you should be proactive in enacting it yourself as it dramatically reduces your risk.”

Related:Snowflake’s Lack of MFA Control Leaves Companies Vulnerable, Experts Say

About the Author(s)

Shane Snider

Senior Writer, InformationWeek, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights