IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Hackers Release Oakland City Officials’ Personal Data

Officials confirmed that the data had been leaked and that they were working with the FBI and the California Governor’s Office of Emergency Services (Cal OES) to investigate the attack.

Data released by a hacker group following a February ransomware attack against Oakland includes 12 years of city employee rosters that list thousands of current and past employees’ Social Security numbers, driver’s license numbers, birth dates and home addresses, including those of Mayor Sheng Thao and former Mayor Libby Schaaf.

The San Francisco Chronicle viewed the published files using a link that was published on the dark web over the weekend. The files include over 9 gigabytes of data and documents including hundreds of records related to police misconduct allegations and scanned bank statements from the city’s operating account.

Some of the documents appear to be public records, like lawsuits filed against the Oakland Police Department. But other records, like the Social Security information, could have adverse consequences for the people whose information was released.

“I’m very worried about identity theft,” said one city employee whose personal information was released, and who spoke on condition of anonymity because he was not authorized to comment publicly. “It’s another example of the city not protecting the people who work tirelessly for them.”

The data breach raises questions about the security of the city’s systems. The city has not disclosed how the ransomware attack occurred. Both current and former employees said the city did not have two-factor authentication, a second layer of security to password-protected accounts, for staff until after the ransomware attack. Cybersecurity experts said it’s unclear whether two-factor authentication could have prevented the attack without knowing what caused the hackers to be able to gain access.

“We think the city of Oakland has been negligent in their handling of our data,” said Zac Unger, a firefighter and president of the union representing firefighters. “We’ve been telling them for years they should be more careful about the data.”

The release of personal information could leave people vulnerable to identity theft and tax identity theft. A “bad actor” could use the information to get fraudulent tax refunds, apply for a line of credit or commit financial theft if routing numbers and credit card information are available, said Sarah Powazek, the program director of UC Berkeley’s Public Interest Cybersecurity.

Powazek noted that local governments, like Oakland, “make really great targets for ransomware” because they host critical public infrastructure, but may not have the resources to defend against an attack. She said that because the group released the data, it’s likely Oakland did not pay the ransom. The city has not disclosed how much it was asked for in ransom or whether it was asked for ransom at all.

The city said in a statement to The Chronicle that it is working with a third-party data-mining firm to do an “in-depth review” of the released data, which will likely take time. Based on what they find, they will notify staff, the city said.

“My administration takes this very seriously and has been working hard to restore systems and provide assistance to anyone impacted,” Thao said in a statement. “Moving forward, we will focus on strengthening the security of our information technology systems.”

City officials sent an email to current employees on Monday, obtained by The Chronicle, saying that the city had sent a notification about the breach to all staff over the weekend. However, some current and former employees said they had not received the notification.

The city held a town hall on Thursday for current staff detailing recovery efforts and addressing payroll concerns. They told staff they will be required to register for multifactor authentication by mid-month. The city has also offered employees a complimentary membership to Experian, which offers people help with detecting whether their identity has been stolen and what to do if a theft occurs. It’s unclear if an Experian membership has been offered to former employees.

In addition, City Administrator G. Harold Duffey advised staff in an email, obtained by The Chronicle, to “remain vigilant by reviewing your account statements and credit reports for any unauthorized activity over the next 12 to 24 months.”

Officials confirmed to The Chronicle on Friday that the data had been leaked and that they were working with the FBI and the California Governor’s Office of Emergency Services (Cal OES) to investigate the attack. The city said that a “threat actor group” called Play has claimed responsibility.

According to IT management company Avertium, Play launched in June 2022 and was responsible for ransomware attacks on the judiciary of the state of Cordoba in Argentina. It’s unclear why the group targeted Oakland.

The attack, which started Feb. 8, disrupted the city’s ability to process parking tickets and business licenses and pay its employees.

Some City Council members said they were being briefed about the attack in closed session meetings and declined to share details.

In mid-February, the City Council declared a state of emergency over the cyber attack.

(c)2023 The San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.