Oakland's ransomware attack is now a data exposure incident.
N2K logoMar 6, 2023

A ransomware attack impacting the city of Oakland, California has developed into a data exposure incident.

Oakland's ransomware attack is now a data exposure incident.

A ransomware attack early last month on the city of Oakland, California may have resulted in a data leak of the stolen information. The Play ransomware group, who have staked their claim to the attack, shared Thursday on their leak site plans to release the stolen data on Saturday, the Record reports. The group now seems to have made good on its threat. The San Francisco Chronicle says that the gang has in fact dumped some of the data online.

Ransomware attack becomes a data leak.

A February 8 ransomware attack against the city of Oakland, California, has resulted in the release of stolen data by the ransomware gang behind the attack, Play, Bleeping Computer wrote Saturday. 

In a Friday update from the city, Oakland officials shared:

“While the investigation into the scope of the incident impacting the City of Oakland remains ongoing, we recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly. We are working with third-party specialists and law enforcement on this issue and are actively monitoring the unauthorized third party’s claims to investigate their validity. If we determine that any individual’s personal information is involved, we will notify those individuals in accordance with applicable law.

“Protecting the confidentially (sic) of the information we hold is a responsibility we take seriously. We will continue to work diligently to investigate and address this incident while working with our expert teams to enhance our security even more moving forward. We apologize for any disruptions this incident may have caused, and we thank our community for their continued support.”

While the government itself has not confirmed nor made a statement on the actual release of data, and indeed hasn’t updated its post on the attack since Friday, some reports note that data have allegedly already been leaked on a site run by the Play ransomware gang. Emsisoft threat analyst Brett Callow told to SFGATE on Friday evening that data has already been published, though the outlet did not confirm that themselves. The leak involves a “10GB multi-part RAR archive” containing sensitive information, wrote Bleeping Computer. The Play gang said on their site that the stolen information includes “Private and personal confidential data, financial information. IDs, passports, employee full info, [and] human rights violation information.”

Oakland’s recovery.

Following the initial ransomware attack, Oakland was forced to declare a state of emergency, Infosecurity Magazine wrote this morning. The February attack was said to impact payment of fees and taxes online within the city, as well as phone connections with city agencies, the San Francisco Standard reported Friday. Infosecurity Magazine aptly observes that the city’s disruptions from the attack, as well as its engagement in “workstation restoration” efforts, likely indicates no ransom payments made to the gang.

Industry commentary on potential mitigations for incidents like these.

David Mitchell, Chief Technical Officer at HYAS, shares that this is common of the ransomware group and discusses the strength of a protective DNS solution in stopping potential attacks:

“This ransomware group likes to start by using remote code execution (RCE) attacks on Exchange servers to gain access and then deploy their ransomware. If that was the case with Oakland, not only do they need a protective DNS solution to prevent the outbound communications from the malware but they may have failed to update vulnerable software on internet facing systems, making this even easier than using email as the initial infection vector. If this was an RCE on Exchange, a protective DNS solution would have quickly identified and blocked the malicious DNS transactions and contained the problem to the initial infection vector.”

Morten Gammelgaard, Co-Founder of BullWall, notes the damage and aftermath of this attack and those similar, and emphasizes the importance of a strong cybersecurity posture:

“The ransom attack on the City of Oakland not only disrupted city services, but as is always the case in such events, the attackers have obtained private data, including financial and government papers, identity documents, passports, employee data, and information regarding human rights violations. Data breaches and identity theft resulting from such attacks cause significant harm to individuals and organizations alike. In this case, the attackers are using the stolen data as leverage to demand a ransom payment from the city, which could result in further financial loss and reputational damage.

“In addition to the city services being out for a week prior to IT restoring access, the potential long-term impact of the attack on the city's infrastructure and security cannot be ignored. For some companies, a week of downtime would be significant loss of revenue or worse yet, imagine if that was a hospital that was down for 6 days!

“This incident underscores the importance of implementing robust cybersecurity defenses, including response and containment measures to safeguard against such attacks, as there is no end in sight to these sorts of attacks.”

Ted Miracco, Chief Executive at Approov Mobile Security highlights the importance of security for Oakland’s computer systems and data, as well as a higher likelihood of attacks on government offices nationwide:

“The recent ransomware attack on the city of Oakland is a concerning issue, and we expect to see more attacks like this on Government offices, as they are quite vulnerable. The potential implications of giving in to these demands could encourage more cyberattacks on other cities and organizations, as hackers may see it as a profitable way to extort money. The fact that the gang claims to have access to sensitive information such as financial and government papers, identity documents, passports, and employee data is alarming. However, the city of Oakland and other organizations must prioritize the security of their computer systems and data to prevent future attacks. Hopefully, the authorities can track down and bring the hackers to justice while also ensuring the safety of the stolen data.

Darren Williams, CEO and Founder of BlackFog also expects the threat to municipal governments to rise:

“As cyber adversaries continue to focus on making the biggest impact by affecting the most people, it’s unsurprising that the public sector and government remains a compelling target. In 2022 for example, our State of Ransomware report observed a 17% increase in reported governmental cyber-attacks.

“City councils and governments need to re-prioritize their cybersecurity as clearly, this isn’t an issue that will just go away. The effect of the attack on the City of Oakland last month appears to only now be setting in, as the stolen personal data of city workers have begun to be leaked by the attackers. 

“Moreover, hackers often favor weekends and holidays to launch attacks, when the majority of employees are out of office, so newer technologies that focus on automated prevention 24/7 must be added to the security stack."