As Oakland recovers from a devastating ransomware attack, the city faces a new risk: potentially costly lawsuits from employees, residents, and anyone else who might have been harmed by the hack.
Since the data breach was revealed in February, four legal claims and one class action lawsuit have been filed against the city. Under California law, an individual seeking damages from a government agency must first file an administrative claim with the public agency allegedly responsible for the harm. If the claim is rejected, then the person can file a lawsuit.
Hada Gonzalez, an Oakland police services technician, appears to have filed the first claim against the city on March 9. Gonzalez claims cybercriminals breached Oakland’s “inadequately protected information network” and accessed her personally identifiable information, which she does not describe in detail. Gonzalez said this has increased the risk she will become a victim of identity theft, caused her to worry about security of her personal information, and caused unspecified out-of-pocket expenses.
Gonzalez filed a class action lawsuit on April 25. In the suit, Gonzalez said she’s been forced to explore identity theft insurance options and credit monitoring. Gonzalez is represented by the Cole and Van Note law firm and the Rains Lucia Stern St. Phalle & Silver PC law firm. Class action suits are designed to let individuals sue on behalf of a much larger group of people, who can all potentially benefit from a settlement or verdict.
Hackers allegedly affiliated with the criminal group PLAY infiltrated Oakland’s computer systems on Feb. 8, cutting off access to files and databases for many departments and shutting down services like Oak311. The hackers also stole over a decade’s worth of sensitive data from city servers, including the social security numbers and dates of birth of city employees and some residents, and confidential records from OPD, including discipline records and internal affairs investigations.
Ransomware attacks are a common extortion scheme across the world, and hackers frequently target local governments in the United States because they contain treasure troves of data that can be used in other crimes like identity theft and fraud. There were approximately 330 ransomware hacks of U.S. government organizations between 2018 and 2022, according to the cybersecurity research website Comparitech.
Oakland spokesperson Nicole Neditch said the city has notified approximately 13,000 people who were impacted by the breach. As of April 27, she said nearly all of the city’s IT systems have been restored. Neditch said the city doesn’t comment on pending litigation. Oakland officials haven’t publicly discussed whether the city will meet the demands for payment, but in recent weeks the hackers have published hundreds of gigabytes of data online, putting an unknown number of Oaklanders at risk for identity theft and fraud.
While the attacks and ransoms are frequently well-publicized, there’s been little coverage of the long-term legal consequences. In the case of Oakland, the publication of data has allegedly harmed some city workers.
A second claim was filed on March 23 by an OPD sergeant, Bradley Keith Young, who complained that his personal information was compromised in the hack.
“I have received several notifications that my Social Security number has been used on the Dark Web and a freeze was needed to be placed on my credit,” Young said in his claim, referring to websites where criminals buy and sell stolen data. “In addition, due to the public safety nature of my employment I subscribed to IronWall 360 for protection. I am seeking reimbursement for this.”
A third claim was filed on March 30 by David Martinez, a construction inspector. Martinez, who also appears to be represented by Cole and Van Note, accused the city of failing to protect his sensitive information.
The most significant claim was filed by the Oakland Police Officers’ Association on behalf of all its members on March 30. The police union claims several of its members have received notifications that credit cards are being fraudulently opened in their names using data obtained in the breach, and some have allegedly struggled with credit-related problems.
Other unions representing Oakland City employees have not filed claims since the attack, but they did demand assistance for their members. On March 31, the Oakland City Union Coalition demanded officials provide credit and identity protection services for no less than five years at no cost to employees or impacted retirees. The coalition also asked the city to provide training and workshops for impacted individuals and grant employees up to eight hours of time to handle breach-related issues.
The coalition represents all of Oakland’s major unions, including the Service Employees International Union Local 1021, the International Federation of Professional and Technical Engineers Local 21, the International Brotherhood of Electrical Workers 1245, the International Association of Fire Fighters Local 55, and the Confidential Management Employees Association.
“The Mayor’s budget proposal makes major investments in the IT Department, and a hiring blitz that will help us better staff the IT Department,” Luke Thibault, spokesperson for IFPTE Local 21, told The Oaklandside. “We support these additional efforts to strengthen our city’s cybersecurity protections in the future.”
Zac Unger, head of the Oakland fire fighters union, told The Oaklandside his organization is reviewing its options and reserves the right to file a claim in the near future.
John Yanchunis, a Florida-based attorney who handles class action lawsuits, said it’s difficult to sue governments over data breaches because they enjoy broad protections against civil or criminal suits. He noted that municipal governments frequently have insurance that can pay out claims before they advance too far.
“I tend not to sue government anymore,” Yanchunis told The Oaklandside.
There have been notable cases where government agencies were forced to pay dearly for cyber intrusions. Last year, a federal judge finalized a $63 million settlement for thousands of current and former federal employees whose personal information was hacked from the federal Office of Personnel Management in 2015. About 22 million people were affected by the breach and over 19,000 filed claims.
Local governments may be able to avoid lawsuits by proactively offering affected employees and residents assistance in the form of free credit monitoring, as has been requested by some of Oakland’s unions.
This is what Contra Costa County officials did last year after notifying locals that a hacker had gained access to sensitive information in emails from the Employment and Human Services Department. A county spokesperson said the county has received one lawsuit regarding the breach, which is still working its way through the legal system.
