Oakland’s police union filed a claim against the city after a ransomware attack released personal information for thousands of current and former city employees, union officials said this week.
The legal filing, which asks for monetary damages of up to $25,000 per affected employee, argues that the city failed to implement “reasonable, industry-standard security protocols for its information systems” and that as a result, employees’ personal information was released.
The filing comes nearly two months after the city reported a ransomware attack by a hacker group that released 12 years of city employee rosters, including a list of thousands of current and past employees’ Social Security numbers, driver’s license numbers, birth dates and home addresses.
The files included over 9 gigabytes of data and documents, including hundreds of records related to police misconduct allegations.
Barry Donelan, the president of the police union, said in a statement that the attack “paralyzed operations,” and he called for a meeting with Mayor Sheng Thao, whose personal information was also released.
“Having to file this legal claim is disappointing,” Donelan said in a statement. “Oakland employees trusted the city with their personal and confidential data, and the city failed them by releasing it through a combination of incompetence and negligence.”
Donelan told The Chronicle that he hoped the result is not a payout but instead a “cohesive plan” that protects staff’s personal information.
Oakland declined to comment on the claim because it had not had time to review the filing. The city also did not answer questions about the status of its recovery from the attack and what systems are still affected.
On its website, the last public statement about the attack was on March 22 and stated that the city has sent notification to current and former employees whose information was impacted by the attack.
The legal filing states that Oakland has “significant deficiencies” in its information security. It quotes a report presented to the City Council in March 2022 that identified “weaknesses within the city’s information security program,” adding that those “including outdated policies and procedures, a lack of risk assessment and testing programs, and a failure to appropriately staff and fund its information technology security capabilities,” leaving the city vulnerable to ransomware attacks.
Security experts have said municipalities are often prime targets for ransomware attacks because they house vast amounts of public information and don’t always have enough resources to invest in their technology departments.
In 2022, the city appointed a new chief information officer, Tony Batalla, and the first chief information security officer. In total, the city’s IT department has 89 budgeted full-time positions and 17 vacancies. The city also partners with a security awareness company to provide cybersecurity training for staff.
©2023 The San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.