Group behind Oakland, Calif., ransomware posts second, bigger data dump
The ransomware gang linked to a February attack on the City of Oakland, California, published a second trove of stolen municipal data this week, releasing about 600 gigabytes of files, potentially exposing sensitive information on thousands of city employees.
The threat group, known as Play, posted the data on its leak site, following up on an initial data dump in early March, when it posted about 10 gigabytes of Oakland’s files.
City officials confirmed the latest batch of stolen data on Tuesday afternoon.
“As a further community update, we recently became aware that the same unauthorized third party claiming responsibility for the ransomware incident has posted additional data allegedly taken from our systems during the incident in February to a website not searchable via the traditional Internet,” an Oakland City Hall statement reads.
The ransomware incident occurred Feb. 8, when a network disruption led to the deactivation of numerous city services and the shuttering of some government offices to the public. In the two months since, Oakland has steadily restored some of those services, including its 311 line, government contracting portal and online permit application system.
But now, the city is facing legal fallout from the attack. The Play group’s first data dump in March reportedly contained files dating back over a decade, many of them pertaining to police personnel disciplinary records and other rosters of city employees, exposing personal information.
According to the Oaklandside, a news site in the San Francisco Bay Area city, a union representing Oakland Police Department officers has filed a claim demanding a $25,000 payout to each officer affected by the breach. In a statement last week, the Oakland Police Officers’ Association accused city leaders, including Mayor Sheng Thao and Interim City Administrator G. Harold Duffey, of “stonewalling” city employees about the extent of the ransomware incident.
“Oakland city leaders talk about accountability, yet there has been zero accountability and a deafening silence for the safety and financial security of the city’s valued employees,” Barry Donelan, the association’s president, said in the statement. “This city is truly broken when city employees learn more about the release of their confidential information from the media than their employer, whose incompetence and sloppy security allows these data breaches to occur.”
City officials have said they are extending credit-monitoring and identity-protection services to anyone whose information was swept up in the ransomware incident, and that potential victims continue to be notified. The attack itself remains under investigation.
“We are working with third-party specialists and law enforcement to investigate and we will continue conducting a thorough review of the involved files,” the city’s Tuesday statement read. “As noted above, we are in the process of notifying individuals whose information was involved in this incident, and will continue to do so in accordance with applicable law.”
Previous ransomware incidents involving big-city police departments have also led to clashes between officers’ unions and city leaders. Following a 2021 incident targeting Washington, D.C.’s, Metropolitan Police Department, its union filed a grievance against the city, claiming the theft of data on hundreds of officers violated its collective bargaining agreement.