California’s largest state employee union fell victim to a ransomware attack last month that, according to a cybersecurity analyst, likely exposed Social Security numbers, home addresses, birth dates and other sensitive information.
The union, which represents close to 96,000 California state workers, first reported news of a “network disruption” on Jan. 20, two days after the breach occurred. At the time, SEIU Local 1000 told members that it was “currently assessing what was affected.”
An update released Monday evening in the form of an open letter confirmed the breach, but offered few details about what data was compromised and who was affected.
“This incident was a criminal cyber act and is being treated as such as we assist law enforcement,” the statement said.
Union spokesperson Jim O’Donnell confirmed Tuesday that authorities were investigating the incident but declined to identify which law enforcement agencies were involved. He also said investigators were still determining whether any personal data — employees’ or members’ — was compromised.
Threat analyst Brett Callow of the cybersecurity firm Emisoft told The Sacramento Bee that a ransomware operation known as “LockBit 3.0” was responsible for the data breach.
A screenshot of the hackers’ darknet website suggests that 308 gigabytes of data were captured by the attackers. That data appears to include Social Security numbers, residential addresses, phone numbers, birth dates and other personal information.
Callow explained to The Bee how ransomware groups such as LockBit 3.0 carry out attacks.
“First, they steal a copy of the data, and then they encrypt or lock the computer from which it was stolen. And they demand a ransom to unlock the computers, and to supposedly delete the stolen data,” Callow explained. “If the victim doesn’t pay the amount they are asking, the data gets released on that website, on the dark web.”
O’Donnell declined to say whether the ransom had been paid.
”As we continue to restore our systems and work through an ongoing forensics investigation, we are attempting to determine whether personal information may have been accessed during the incident,” read Local 1000’s statement from Monday. “If so, we will notify all affected individuals by mail.”
©2024 The Sacramento Bee. Distributed by Tribune Content Agency, LLC.
