Officials in Torrance, California, last month said none of their roughly 145,000 residents’ personal data was compromised last month when the city was hit by a cyberattack that disabled municipal websites and online payment services. But that was revealed as incorrect this week following the publication and sale of as much as 200 gigabytes of city data by a ransomware actor.
Hackers behind a ransomware variant known as DoppelPaymer have started leaking documents stolen from Torrance on both a publicly accessible website and dark web forums, in hopes of collecting a bounty of 100 bitcoin — or about $700,000 — from the Los Angeles suburb. A sample of files reviewed by StateScoop shows individuals’ names, dates of birth, Social Security numbers, and other personal identifying information, as well as 181 pages of financial transactions that occurred in the 2019 fiscal year.
The release of the data was first reported by Bleeping Computer.
While the incident confirms Torrance’s place on the ever-growing list of local governments that have been targeted by ransomware, officials’ initial claim that residents’ personal data was not affected is an example of poor crisis management in a cyberattack, said Brett Callow, an analyst with the cybersecurity firm Emsisoft.
“People have unnecessarily been exposed to risk,” he said. “In these cases it’s not only the original criminals people need to worry about, it’s also other criminals who may access [stolen data].”
Callow said Torrance officials should’ve warned their residents early on that there was a risk of data being exposed, especially when the attack involved DoppelPaymer, malware known to be used for stealing and publishing victims’ files in hopes of leveraging a payout.
“These incidents now have to be regarded as data breaches, especially when it’s a group that’s known to steal data,” he said. “Otherwise people who’s data has been exposed are just sitting ducks.”
In publishing and selling the data it stole from Torrance, the DoppelPaymer hackers are following a formula used by other attackers, notably a group that has used the Maze ransomware against a string of corporations and the City of Pensacola, Florida. (Last week, the global IT services firm Cognizant acknowledged it, too, had been hit by Maze.)
Callow said it’s not surprising that DoppelPaymer would follow in Maze’s footsteps in publicly pressuring its victims to pay up. Other ransomware attackers, including those behind the Sodinokibi bug used in the attack last August that targeted 23 Texas communities, have also adopted the tactic.
“They’re adopting strategies that are proven to work,” he said. “These leak sites are treasure troves for identity thieves.”
Callow said governments may want to look at shortening the legal windows that entities that suffer data breaches are given to disclose the incidents to their customers. Laws vary from state to state, but most give organizations between 30 and 60 days.
“They should be doing credit monitoring as soon as possible,” Callow said. “People should find out their data has been exposed directly from the organization, not when they see a statement for a credit card they never applied for. That’s why prompt notification is critical.”
Ransomware attacks against government agencies decreased in the first quarter of 2020 compared to last year, according to research Emsisoft published Wednesday. Callow said the drop can actually be attributed to the COVID-19 global pandemic, which he said has potentially presented hackers with smaller attack surfaces as non-essential services are shut down, though the Emsisoft report also noted that ransomware can be seasonal.
Still, a temporary slowdown in ransomware attacks is no reason for a government to let down its guard, as hackers are quick to pivot their tactics to meet the zeitgeist, Callow said.
“The bad guys are pivoting to COVID-related things,” he said. “They’re just switching it up from tax-related scams and spams to COVID-related scams and spams.”