The ransomware attack against the city of Oakland appears to be getting worse.
On Friday, Oakland acknowledged in an update on the city’s website that files were taken from the city during the cyberattack which began in February and that some of this data, possibly including sensitive personal and financial information, might be released publicly.
“[W]e recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly,” the city posted. “We are working with third-party specialists and law enforcement on this issue and are actively monitoring the unauthorized third party’s claims to investigate their validity. If we determine that any individual’s personal information is involved, we will notify those individuals in accordance with applicable law.”
Oakland did not provide any more details in its brief statement.
But according to reports on multiple cybersecurity websites, a criminal organization known as PLAY ransomware group has taken responsibility for the hack. A report on the website BleepingComputer linked the attack to a post in an online forum by members of PLAY who stated they plan to release “private and personal confidential data, financial, gov and etc. IDs, passports, employee full info, human rights violation information.” The PLAY group’s claims were first noted by security researcher Dominic Alvieri.
A ransomware attack involves gaining access to a company or government computer system and then encrypting all or many of the organization’s files so that they’re no longer usable. This causes systems to become inoperable. Hackers extort cities for money by offering to sell them the decryption keys to regain access to files.
Oakland has reported that the attack has impaired many of its non-emergency systems, including its business tax collections and OAK311. An email shared with The Oaklandside also shows that the city’s invoice system has been taken offline, causing potential delays in payments to city contractors.
PLAY is one of many criminal organizations that carry out ransomware attacks. A similar group called Hive was taken down by the FBI recently. Hive was responsible for thousands of attacks in over 80 countries that resulted in the extortion of over $100 million. Less is known about PLAY, which takes its name from the fact that encrypted files are left with the extension “.play” after a successful attack.
Ricky Rodas contributed to this report.