Numerous city workers received alerts this month confirming the worst: Strangers were attempting to open lines of credit on their accounts, using Social Security numbers hacked from the city during a ransomware attack that began Feb. 8.
It’s a nightmare no one would want to experience, but Oakland’s union leaders are just as concerned about the messages they say workers aren’t getting from city leaders, who have yet to offer a pathway out of the ongoing mess.
Citing a lack of communication, union officials say they are now considering lawsuits to secure more extensive credit protections for the thousands of workers whose personal information was stolen last month and posted on the dark web.
“The city has taken no steps; it’s just business as usual, with no interest in taking care of their workers,” said Barry Donelan, the Oakland police officers’ union president, who added that his worst fear is that “a year, two years from now, a young person tries to buy a home and their credit is shot.”
As part of the attack, 10 gigabytes of data in compressed files — a mother lode of IDs, employee forms, passports, home addresses and other sensitive information — were released last month to the dark web, an Internet network where criminal activity is rampant.
Making matters worse for Oakland is that the attack likely also compromised the information of ordinary residents whose data happened to be on file with the city through parking ticket payments or business contracts.
In the wake of the attack, the city alerted federal law enforcement — plus cybersecurity and forensic professionals — began an internal investigation and guaranteed employees a year of free credit protection through Experian.
But workers want to meet with city leaders to openly discuss why a robustly staffed IT department couldn’t defend against such a large-scale attack — and how another one could be prevented.
“We are hoping that the folks at Human Resources will come around and do the right thing, but if not, we’ve filed a number of grievances already, and we’ll take those to the logical conclusion,” said Zac Unger, the head of the city’s firefighters union.
In a statement, city officials said they had been forthcoming with staff “every step of the way,” from all-employee updates, an FAQ email address, a pair of information sessions and a dedicated call center, plus formal letters “outlining the specific data that was breached.”
In response to the letter from the unionized police officers, the officials said in the statement that they were “looking forward to meeting with them.”
Oakland’s leaders had limited options for recovering the data, given that the hackers in control of it could make infinite copies. The city’s decision to pay for workers’ credit monitoring is a common early step among victimized agencies, but one that is “reactive, rather than proactive,” according to Brett Callow, a cybersecurity analyst at New Zealand-based cybersecurity firm Emsisoft.
“It doesn’t stop fraud; it simply lets people know that it’s happened,” Callow said in a recent interview.
It isn’t known whether the group connected to the attack, Play, is still holding data ransom to extort payments from Oakland, though experts earlier this month warned of a strong possibility that more information is yet to be dumped online.
But another group last week claimed responsibility for the attack — the hacker gang LockBit, which said that it would release more of Oakland’s data online on April 10, the hacker news site Bleeping Computer reported.
LockBit is known to carry out bounty ransomware attacks ordered by third parties, but the Bleeping Computer report noted how the gang has a history of falsely taking credit for high-profile hacking incidents to garner publicity.
Could further damage lie ahead? No one has said for sure, but Daniel Aranki, an assistant professor in information at UC Berkeley, said it’s one of the first steps of transparency that employers could reasonably be expected to provide.
“Ideally you’d want to explain the scope properly,” said Aranki. “There’s a very burning question: If the leak that happened is just a partial dump, what more information could they have?”
City officials said in a statement that they have several considerations to make in deciding what information to release but insisted that they weren’t ducking their responsibility.
“The nature of these kinds of incidents demands that we balance our commitment to transparency with the need to protect the integrity of the investigation and the security of our systems,” the statement said. “We will continue to communicate directly with our employees and our community, sharing updates as we build on our progress.”
©2023 MediaNews Group Inc. Distributed by Tribune Content Agency, LLC.