In February, the City of Oakland, CA experienced a high-profile ransomware attack that forced them to take several systems offline and declare a local state of emergency.
The City of Oakland was targeted by the PLAY ransomware gang and the attackers were able to steal sensitive data from the city's systems which included personal information of city employees (birthdates, addresses, social security numbers, etc.) as well as financial records.
In addition, highly confidential records including Internal Affair investigations of the Oakland Police department and civilian city employees, as well as records revealing city whistleblowers identities, were also part of the breach. This type of data takes the risk a step further from identity theft and can very well put people in physical danger.
This week, the hackers made good on their ultimatum and released nearly 10 Gigabytes of data on their website, which has attracted more than 1,100 visitors as of this article.
Initial reports stated this data was mostly financial and personal information that is used for identity theft, as opposed to the confidential law enforcement and whistleblower records – but that may be intentional by the hackers, who are possibly saving the more dangerous data for the next wave to be released.
The PLAY ransomware gang has signaled this is the first of many data leaks until their demands are met. What specifically these demands are have not been confirmed, but there are reports that the ransomware gang is demanding up to $9 million for the files.
Ransomware attacks have become increasingly common in the government sector in recent years, due to the large-scale impact an attack can have on an entire city or municipality. In fact, 12% of all ransomware attacks in 2022 were on municipalities, according to an industry survey – and this is just 12% of the reported amount of ransomware attacks, a number much lower than in actuality.
The City of Oakland has confirmed they are working with law enforcement, including the FBI, and with a third-party organization to restore any impacted systems. They are also providing resources for those who suspect, or may know, that their information was part of the attack (or leak) including credit monitoring and freezes.
With these controls in place, organizations can better minimize and mitigate the damage and ensure an expedited recovery effort. It’s paramount to implement these controls early to minimize the potential risks.
A proactive approach to addressing cybersecurity risks can be the difference between identifying and preventing a malicious event such as a ransomware attack.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.