After Ransomware Attack, Oakland Faces Data Breach LawsuitCalifornia City Says 13,000 Current and Former Employees' Personal Data Stolen
A flurry of legal complaints and a lawsuit have been filed against Oakland, California, in the wake of a ransomware attack that disrupted city systems for weeks and months.
See Also: 2022 Unit 42 Incident Response Report
The Play ransomware group took credit for the attack and leaked 10 gigabytes of stolen information on current and former city employees when the city refused to pay a ransom. In April, it dumped another 600 gigabytes of stolen data.
Plaintiffs have filed at least four legal claims against the city as it notifies about 13,000 current and former employees that their personal information was exposed in the attack, local newspaper Oaklandside reported.
A city spokeswoman told Information Security Media Group the breaches affected employees who worked for the city between July 2010 and January 2020 as well as a limited number of residents such as individuals who had filed a claim against Oakland or applied for some federal programs through the city.
Under California law, anyone who wants to sue the state government or a public agency for damages must first file a claim. The agency has 45 days to respond. If it doesn't do so, the claim is considered to be denied, allowing the claimant to sue in small claims court within two years.
After filing a complaint, Hada Gonzalez on April 25 filed a lawsuit, seeking class action status. The lawsuit accuses the city of failing to take reasonable steps to protect employees' personal identifiable information, as well as health information. Failure to protect health information is a violation of the HIPAA security rule, the lawsuit says.
Gonzalez, a police services technician for the city, argues in the lawsuit that the exposure of her personal details leaves her at increased risk of identity theft. She also accuses the city of failing to inform victims about the breach and what was stolen in a timely manner, saying that it took 30 days to do so.
Legal experts say that lawsuits such as Gonzalez's typically fail, because they must prove harm. The U.S. Supreme Court in a 2021 ruling limited plaintiffs' standing to cases where they can demonstrate "concrete harm," a decision that makes lawsuits brought by plaintiffs who can demonstrate financial harm at far less risk of dismissal.
As banks and payment card issuers typically reimburse in full any losses a customer suffers due to fraud tied to identity theft, demonstrating harm for the loss of personal data is often a difficult threshold to meet.
Thirty days is not an unusual period of time for a breached organization to take to identify who was affected and then notify them, experts say. States' data breach notification laws were designed to ensure breached organizations notify individuals in a timely manner - 30 to 45 days is a benchmark some experts recommend - so they can take steps to protect themselves against identity fraud.
The ransomware attack against the city came to light on Feb. 8, after which officials declared a state of emergency to aid recovery. Many nonemergency systems were offline for weeks, including city phone systems, preventing residents from paying bills or applying for permits or licenses. Officials said emergency systems, including the 911 call center for police and fire emergencies, continued to function, although police said they were unable to file multiple types of reports.
The city said it strove to contain the attack and immediately called in third-party digital forensic experts to handle incident response and facilitate systems restoration, with the help of the governor's Office of Emergency Services. Law enforcement is investigating.
In the aftermath, the city said it was working "around the clock to implement recovery plans that will restore impacted systems as quickly and as securely as possible." By Feb. 28, it had restored some major systems, including a telephone service for reporting flooding and sewer overflows.
The city appears to have declined to pay a ransom. To pressure the city into doing so, the Play ransomware group in early March listed the city on its data leak website together with a sample of stolen data, featuring financial and personal identifiable information, including pictures of driver's licenses and passports.
Oakland subsequently confirmed that information for some current and former employees, spanning the period from July 2010 to January 2022, had been stolen by the attackers. Officials said they are notifying affected individuals "in accordance with applicable law" and have been urging all potential victims to closely monitor their financial accounts for signs of fraud.
"Moving forward, we will focus on strengthening the security of our information technology systems," Mayor Sheng Thao said in a March 6 update.
That was the same day the mayor received a letter from the Oakland Police Officers' Association, which accused her of "stonewalling" victims by failing to detail exactly what had been stolen or how many individuals had been affected.
Since it was just weeks after the attack, likely the city had yet to determine such details.
As of early May, the city reported that nearly all affected IT systems had been restored and it was working through a backlog of crime reports, reported infrastructure emergencies, applications for business payments, invoices needing to be paid and other city matters.
The city also said that its investigation remains ongoing and that it was continuing to notify victims. The Oakland spokeswoman told Information Security Media Group that the city can't comment on pending legislation.