IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Oakland Employees Sue City Over Ransomware Attack

The filing describes how staffers “suffered and will continue to suffer ongoing, imminent and impending threat of identity theft crimes, fraud and abuse, resulting in monetary loss and economic harm.”

The massive ransomware attack that exposed reams of sensitive personal data stored by the city is now the subject of a class-action lawsuit by city employees who say their information wasn’t properly protected.

It’s the latest development in a torturous saga for Oakland’s city government that began when online hackers infiltrated the city’s data systems, which critics say had been left vulnerable to attack by inadequate security measures, in January.

Since then, ransomware group Play has dumped hundreds of thousands of web pages worth of home addresses, driver’s license information, medical data, social security numbers and more onto the dark web, where they can be accessed by anyone with the correct software.

The lawsuit, filed in late April by police services technician Hada Gonzalez, seeks monetary damages and attorney’s costs from the city, plus a requirement for Oakland officials “to protect, including through encryption, all data collected through the course of business.”

The class-action filing describes how the plaintiffs have “suffered and will continue to suffer ongoing, imminent, and impending threat of identity theft crimes, fraud and abuse, resulting in monetary loss and economic harm.”

The suit follows a legal claim in April against the city by the Oakland police officers’ union, which cited, among other grievances, that the city hadn’t immediately notified union officials of the extent of the attack.

Neither Gonzalez, who isn’t a member of the union, nor the union itself received a response from the city — and both parties are now plaintiffs in the class-action filing, along with several hundred other city employees.

Attorneys in the case did not confirm the exact number of plaintiffs, but said they are actively seeking others who want to join.

“It’s potentially all City employees — ever — whose info was accessed and, potentially, all persons who gave information of any kind to the City,” attorney Scott Cole, whose Oakland-based firm specializes in data breach cases, said in an email.

Together, the employees accuse Oakland officials of being slow to react to the crisis, and suggest the city didn’t take the appropriate steps to encrypt the stored data.

The plaintiffs “remain, even today, in the dark regarding what particular data was stolen, the particular malware used and what steps are being taken, if any, to secure their (health and other identifiable information) going forward,” the lawsuit states.

City officials did not respond to requests for comment on the lawsuit.

“The nature of these kinds of incidents demands that we balance our commitment to transparency with the need to protect the integrity of the investigation and the security of our systems,” they wrote in a statement last month. “We will continue to communicate directly with our employees and our community, sharing updates as we build on our progress.”

An internal report reviewed by city officials last year, months before the attack, had warned that “staffing and resource constraints” were leaving the city vulnerable to “ransomware attacks, cyberattacks and other threats.”

Still, as the number of ransomware attacks grows worldwide, cybersecurity experts note that even sophisticated data systems are susceptible to hacks.

In May, a cyber attack against the Santa Clara Family Health Plan breached the medical information of more than a quarter-million patients receiving affordable health care.

The attack, which officials linked to Russian hackers, extended to 130 organizations across the country.

Oakland has offered a year of free credit protection to employees whose information may have been exposed.

But many workers remain outraged that so much of their personal information is now on the dark web, a segment of the Internet known to be frequented by those looking to steal and make a profit from sensitive data.

“I think it’s a shame that we’re forced as city employees to go to court when our own employer didn’t even give us the decency of picking the phone up,” Barry Donelan of the Oakland police officers’ union said in an interview.

©2023 the San Jose Mercury News. Distributed by Tribune Content Agency, LLC.