Oakland City Hall. Credit: Amir Aziz

The ransomware attack against the city of Oakland appears to be getting worse.

On Friday, Oakland acknowledged in an update on the city’s website that files were taken from the city during the cyberattack which began in February and that some of this data, possibly including sensitive personal and financial information, might be released publicly.

“[W]e recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly,” the city posted. “We are working with third-party specialists and law enforcement on this issue and are actively monitoring the unauthorized third party’s claims to investigate their validity. If we determine that any individual’s personal information is involved, we will notify those individuals in accordance with applicable law.”

Oakland did not provide any more details in its brief statement.

But according to reports on multiple cybersecurity websites, a criminal organization known as PLAY ransomware group has taken responsibility for the hack. A report on the website BleepingComputer linked the attack to a post in an online forum by members of PLAY who stated they plan to release “private and personal confidential data, financial, gov and etc. IDs, passports, employee full info, human rights violation information.” The PLAY group’s claims were first noted by security researcher Dominic Alvieri.

A ransomware attack involves gaining access to a company or government computer system and then encrypting all or many of the organization’s files so that they’re no longer usable. This causes systems to become inoperable. Hackers extort cities for money by offering to sell them the decryption keys to regain access to files.

Oakland has reported that the attack has impaired many of its non-emergency systems, including its business tax collections and OAK311. An email shared with The Oaklandside also shows that the city’s invoice system has been taken offline, causing potential delays in payments to city contractors.

PLAY is one of many criminal organizations that carry out ransomware attacks. A similar group called Hive was taken down by the FBI recently. Hive was responsible for thousands of attacks in over 80 countries that resulted in the extortion of over $100 million. Less is known about PLAY, which takes its name from the fact that encrypted files are left with the extension “.play” after a successful attack.

Ricky Rodas contributed to this report.

Before joining The Oaklandside as News Editor, Darwin BondGraham was a freelance investigative reporter covering police and prosecutorial misconduct. He has reported on gun violence for The Guardian and was a staff writer for the East Bay Express. He holds a doctorate in sociology from UC Santa Barbara and was the co-recipient of the George Polk Award for local reporting in 2017. He is also the co-author of The Riders Come Out at Night, a book examining the Oakland Police Department's history of corruption and reform.