The hacker group taking responsibility for the ransomware attack on the City of Oakland has leaked their first batch of files, leaving city employees’ personal data potentially exposed while the hack continues to cripple city systems.
It was February 10 when the City of Oakland acknowledged it had been hit in a ransomware attack, which shut down Oakland City Hall for a few days, and a large number of city-run technical platforms have been hobbled since. Oakland has not paid the ransom demands, which is generally what experts and authorities advise. But the city’s refusal to cave to the hackers’ demands brought a Friday threat that they would release the stolen data publicly, and now KRON4 reports that some amount of that private data has been leaked onto the dark web.
This seems bad.— Darwin BondGraham (@DarwinBondGraha) March 3, 2023
The city acknowledged Friday that it wasn't just a ransomware attack (encryption of files to extort) but that hackers also stole city files and are threatening to leak sensitive data.https://t.co/kTpejBmNkB
According to KRON4, “employee IDs, passports and other documents were shared in the leak.”
We will continue to update our website with information about the remaining impacts and thank our community for their continued support.https://t.co/HHhBrNpkbu— City of Oakland (@Oakland) March 4, 2023
The Chronicle reports that the leaked data includes birthdates, social security numbers, and home addresses for city workers, including current mayor Sheng Thao and former mayor Libby Schaaf. And, "files include over nine gigabytes of data and documents including hundreds of records related to police misconduct allegations and scanned bank statements from the city’s operating account."
When that hacked data hit the internet Friday, the City of Oakland released a statement. “We recently became aware that an unauthorized third party has acquired certain files from our network and released some of this information,” the statement said. “We are working with third-party specialists and law enforcement on this issue, and are reviewing the involved files to determine their contents. If we determine that any individual’s personal information is involved, we will notify those individuals in accordance with applicable law.”
The crippling cyber attack against the City of Oakland, California has been claimed by Play Ransomware— Dominic Alvieri (@AlvieriD) March 3, 2023
/oaklandca.gov@BleepinComputer #cybersecurity #infosec @FBI pic.twitter.com/rjPEdVC02i
Cybersecurity analyst Dominic Alvieri notes above that the hacker collective PLAY Ransomware has taken credit for the attacks.
But the attack also continues to gum up the works with the city’s day-to-day business too. “Oakland has reported that the attack has impaired many of its non-emergency systems, including its business tax collections and OAK311,” Oaklandside points out. That site adds that “that the city’s invoice system has been taken offline, causing potential delays in payments to city contractors."
On top of that, Bleeping Computer notes “All business taxation obligations received a 45-day extension, as the city couldn’t facilitate online payments,” and "Parking citation services were also impacted, not accepting calls or transactions at cashier booths.”
So the city of Oakland now has two large problems on its hands: 1) many city operations are at a complete chokepoint (including the collection of money); and 2) employees may have to worry about some very financially sensitive data being released. Rather chillingly, the Chronicle obtained an internal city email from interim city administrator G. Harold Duffey that told employees,“It would be prudent to regularly review your financial accounts such as credit card accounts, checking and saving accounts,” and “If you notice any suspicious or unauthorized charges or withdrawals, contact your financial institution immediately.”
Related: Hackers In Ransomware Attack Plan to Release City of Oakland Employee Info, and More [SFist]
Image: Almonroth via Wikimedia Commons
This post has been updated include the Chronicle's reporting on the leaked data.