The hackers behind a massive ransomware attack against the city of Oakland delivered on their threat to release sensitive city files by publishing on Friday gigabytes of information online. The leak—part of a major cybercrime involving a breach of the city’s computer systems and theft of years of confidential files and data—includes sensitive information that could be used by criminals around the world to carry out identity theft and financial fraud against city employees and others, say experts who spoke to The Oaklandside.
“There’s plenty of nefarious things that could be done with the information contained in this leak,” said Mike Katz-Lacabe, a San Leandro-based researcher and computer security expert with the Center for Human Rights and Privacy who reviewed the leaked files.
“With someone’s social security number, date of birth and other information, that’s enough to begin an identity theft action or some kind of fraud,” said Katz-Lacabe. “And I’m not sure what you do with someone’s passport, but there are many scanned images of passports that are part of this release.”
The vast trove of records, which The Oaklandside has also reviewed, includes drivers license numbers, home addresses, and other personal details about city workers and elected officials, including the City Council and mayor. We are not publishing information that would assist anyone in locating and obtaining the stolen records.
The city alerted its employees via email shortly after the leak on Saturday, warning them that the ransomware hackers were able to illegally break into the city’s computer systems between Feb. 6 and Feb. 9 and steal thousands of files by downloading them.
“We encourage you to remain vigilant by reviewing your account statements and credit reports for any unauthorized activity over the next 12 to 24 months,” the city email states. Similar to other data thefts against corporations and governments, Oakland is offering its employees a free one-year fraud protection and monitoring service.
An Oakland resident who described themselves as not having any special expertise in ransomware was able to locate, download, and review the leaked data. They told The Oaklandside that hundreds of people have probably already downloaded the files, and that the information is readily available to cybercriminals.
“There are people whose job is stealing lots of IDs, and they’re certainly going to get this as a matter of course, and I’d imagine they’ll apply for lots of credit cards and do whatever they do with stolen information,” said the person, who asked to remain anonymous.
“It seems like [the hackers] did some poking around to get sensitive information and then store that,” they said. “That makes sense as to why they’d have all these bank statements and spreadsheets with like 8,000 social security numbers.”
The leaked files contain a variety of confidential records including Oakland police internal affairs investigations, Human Resource Department investigations of civilian city employees, and investigations that reveal the identities of city whistleblowers, all of which are supposed to be kept secret under state law.
Katz-Lacabe said that as of Monday morning, over 1,100 people have accessed the website where the leaked records are available for download.
The hackers responsible for the crime, known as the PLAY group, have been trying to extort the city, presumably for a financial payment. As leverage, the hackers encrypted many of the city’s files, preventing Oakland from accessing these and causing systems to temporarily go out of service. The city hasn’t said publicly whether it is considering paying the hackers, but the leak Friday appears to show the city isn’t caving to their demands.
On their website, PLAY group indicated that it has even more stolen data from the city and that it will release the “full dump” if the city doesn’t comply with its demands.
As Oakland struggles to get systems online, we asked a cybersecurity expert about what makes cities vulnerable, and who’s often behind the attacks.
The FBI, private security consultants, and the U.S. The Attorney’s Office are helping the city investigate the hack.
“My Administration takes this very seriously and has been working hard to restore systems and provide assistance to anyone impacted” said Mayor Sheng Thao in a statement Monday. “Moving forward we will focus on strengthening the security of our information technology systems.”
City officials said they are reviewing what data was leaked by the hackers and “actively notifying individuals whose personal information is determined to be involved as quickly as possible and in accordance with applicable law and providing resources to protect the personal information of those impacted.”
“This is the sort of thing that could happen to any organization,” said Katz-Lacabe, who noted that BART was the victim of a massive ransomware hack late last year. “All it takes is one person to click on the wrong thing.”
As the Oakland Observer first reported, the city was warned in 2021 by an outside auditor that it was vulnerable to a ransomware attack.
Katz-Lacabe said the city would do well to be transparent about any failures that occurred regarding its IT infrastructure.
“They might have had good security but it still got bypassed, or it might have all been on an [unsecured] file server,” he said. “At some time there was a connection to the attacker taking all this data. Was there an alarm that went off? Was there a monitor? I suspect there was not.”