Oakland confirms massive second data leak after February ransomware attack

Oakland city officials have confirmed this week that significantly more data has been released on the dark web by the ransomware group that attacked the city in February.

The Play ransomware group, which took credit for launching the crippling attack, published 600 gigabytes of city data after releasing an initial batch of 10GB last month.

On Tuesday, the city confirmed the second leak, writing in a statement that it was working with specialists and law enforcement to investigate the files.

The city also acknowledged the breadth of data published in the first batch — which included troves of documents stolen from the city police department and other offices within the city government. Even the personal information of Mayor Sheng Thao was leaked.

“Our extensive manual review of the data determined to be involved has to date determined that the personal information of certain current and former employees and a limited subset of residents – such as some individuals who filed a claim against the City or applied for certain federal programs with the City – was involved in this incident,” the city explained.

“We began notifying impacted employees in March and are mailing notification letters to impacted residents to provide them with further details and resources to help protect their personal information.”

The city said it will continue to notify those affected by both leaks as they comb through the data. They urged victims to call the number provided in breach notification letters if they have any concerns or questions.

In addition to the two leaks from the Play ransomware group, another group has claimed to have stolen data from the city.

The notorious LockBit ransomware group added Oakland’s government to its leak site two weeks ago. The city denied that there was another ransomware attack but LockBit has not removed the posting. They are threatening to leak the data if their demands are not met by the end of the day on Sunday.

The city began sending out breach notification letters to thousands of employees and residents on March 15, writing that names, addresses, driver’s license numbers, Social Security numbers and more were taken when Play attacked the city between February 6 and February 9.

Any person who worked for the city from July 2010 to January 2022 had their sensitive information stolen, and the city warned people to be wary of scams.

On Monday, the city’s police union filed a claim against the city demanding $25,000 per officer after the group leaked documents related to lawsuit settlement agreements and misconduct allegations, as well as information about ongoing litigation against the city, wire transfer records, bond sale information, and contracting data.

Barry Donelan, president of the Oakland Police Officers’ Association, told Mercury News that at least one officer who tried to freeze his credit discovered that “someone got there ahead of him and put their name on his credit first.”

Several local news outlets have reported that the second batch of data includes even more sensitive police department information in addition to healthcare information about city workers and government officials.

In addition to the stolen data, critical city services have been crippled since the attack began. It was only in the last week and a half that the city was able to restore its 311 phone line, online permit center and city contract systems. Platforms for paying parking tickets and business taxes are still being restored.