By Benjamin Pimentel | Examiner staff writer Apr 6, 2023 Updated Apr 7, 2023
Two months after a major network breach, the City of Oakland is reeling from a ransomware attack that has steadily morphed into a broader crisis.
Oakland just confirmed that more data has been released into the Dark Web by the culprits. The data theft has caused an even bigger rift with the city’s police union which filed a complaint accusing Oakland officials of keeping law enforcers in the dark about the impact of the breach.
“The response is terrible,” Oakland Police Officers’ Association President Barry Donelan told The Examiner. “It’s pathetic.”
The crisis began Feb. 8 when Oakland city officials discovered that the city’s network had been hacked in a suspected ransomware attack. The city announced the breach two days later, saying “the public should expect delays from the City as a result.”
The impact of the attack became evident to Oakland police officers. “Cops came to work and realized their field based reporting system in the cars wasn't working,” Donelan said. That meant they had no easy access to the data system for crime reports and investigations.
“That wasn't working,” Donelan said. “Turns out that overnight, the first week of February, the whole thing was locked up and we didn't know what it was.”
Donelan said Oakland police found out about the breach from media reports before city officials confirmed the attack. Five days after the breach, the city said it had to take its network offline “to contain the attack.”
Key services were taken offline, although some were eventually restored, including Oakland’s 311 phone system used for infrastructure emergencies. One of the critical areas that the city had to address was payroll, Donelan said. “We had just been paid so it was 10 days out, maybe two weeks out for the next payroll,” and the big question was, “How do you pay people?”
That was subsequently resolved by the city, but the sudden network breakdown led to disruptions, he added. “I was shocked at the operational challenges this brought up right across the city.
The disruption was particularly disorienting for young police officers, who grew up in a digital world, and had no idea how things were done before the web, he said.
“I've got more than 20 years of service” and suddenly “you're telling these young lads on patrol, ‘Here's a pen and paper. Write a report,’” he said. “And they're like, ‘Why?’ They've never done that. That was kind of an interesting experience for a few days.”
Then the crisis took a tougher turn when it was revealed that the personal financial information of employees had been stolen.
Initially, city officials told employees and employee unions that “there was no indication that any personal data was released,” Donelan said. But in early March, the city announced that city officials “recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly.”
By then, the Oakland breach became known to some cybersecurity companies that routinely monitor so-called Dark Web sites used by ransomware groups.
EX // TOP STORIES
Perks won’t bring back office workers but taking them away seems petty
Perks won’t bring back office workers but taking them away seems petty
Taking away staplers and yoga classes, as Google is doing, seems to be missing the point
One killed, two injured in Roseville hostage situation
One killed, two injured in Roseville hostage situation
The suspect barricaded inside a building and took two hostages after firing upon officers
BART police chief to retire after 25 years
BART police chief to retire after 25 years
Ed Alvarez's says his team worked "together to make BART PD one of the most progressive and community-oriented police departments in the nation"
Sergey Shykevich, Check Point Software's threat intelligence group manager, said a ransomware group would typically “publish only the fact that some company or organization or city was breached,” which then kicks off negotiations. When the “victim” organization refuses to pay up, the attackers start publishing some of the information they stole, he told The Examiner.
Rafe Pilling, researcher with Secureworks, another cybersecurity company, describes the attacks as a “lock and leak” operation.
“They will compromise an organization,” he told The Examiner. “If they just steal data, they'll use that as leverage. If they steal data and encrypt systems, then they'll enter into a negotiation phase with the victim. This is the standard MO.”
The ransomware group will “start to pile on the pressure,” he added. “If the negotiations aren't going well, they can publish to a leak site. They might just say, ‘We have compromised organization X. If they don't pay up in 10 days, 15 days, whatever it might be, we will publish [their data]. Sometimes they’ll publish a little bit of teaser data, like some like proof of breach or proof of life.”
The revelation stunned many Oakland police officers and other employees, Donelan said. What was particularly frustrating was that they learned that personnel data had been compromised from media reports, not from city officials, he added. On March 30, the police union filed a legal claim against the city, seeking damages for the harm caused by the breach which led to the “dissemination” of “confidential and sensitive information.”
The breach, the complaint said, “was a foreseeable consequence of the City’s failure and refusal to implement reasonable, adequate, and industry-standard information security protocols.” The complaint said the city had been “ explicitly warned at least twice” that its network security had “significant deficiencies.”
“The city attorney does not have a comment at this time,” a City of Oakland spokesperson told The Examiner.
On Tuesday (April 4), the city issued an update, saying an “extensive manual review” has “determined that the personal information of certain current and former employees and a limited subset of residents.”
Within the Oakland police force, the leaks have been disruptive and demoralizing for many officers. The complaint said police officers have been forced to spend money on “credit and identity theft protection services” and other “services to remedy specific instances of credit and identity theft, and lost opportunity to acquire credit at rates they otherwise would have qualified for absent the damage to their credit caused.”
Donelan said, “I’ve got retirees calling every day like, ‘Are we impacted?’ I’ve got folks who are newer officers trying to buy homes and want to see if they qualify for mortgages and are worried about the impacts.”
Donelan portrayed the legal complaint as a reaction to the lack of transparency from the city.
“All we wanted to do was collaborate with the city to minimize these impacts, get operations back up and protect city employees and their families from the damage as a result of all their stuff being released,” he said.
The union understood that dealing with ransomware groups involves sensitive issues, he said: “I understand you don't want to reveal the investigation. I mean, I’m a policeman. I understand the importance of that. But people need to be told to protect themselves and to understand what the situation is. And the city does have the responsibility to protect our private information.”