Breach Potentially Exposes 20K LAPD Applicant Data Records

A person who identified himself or herself as a hacker contacted the city last Thursday, revealing inside knowledge of a database of people who applied to the LAPD between 2010 and 2018 or early 2019.

by Cindy Chang, Los Angeles Times / July 30, 2019
Los Angeles Police Department Shutterstock/Tupungato

(TNS) — Los Angeles city computers were breached last week in a data theft potentially involving the personal information of about 20,000 applicants to the police department, including hundreds who are now sworn officers.

The cyberattack highlights the vulnerability of government computer systems, with the city of Los Angeles subjected to billions of hacking attempts in the last five years, according to Ted Ross, general manager of the city’s Information Technology Agency.

A person who identified himself or herself as a hacker contacted the city last Thursday, revealing inside knowledge of a database of people who applied to the LAPD between 2010 and 2018 or early 2019, Ross said.

City officials were concerned that the entire database was compromised and quickly began notifying the job applicants, who had logged on to a website for updates during the lengthy process of becoming a police officer.

About 2,500 of the 20,000 applicants advanced to the next step, though not all ended up joining the department, Ross said.

The information that was potentially stolen included email addresses, birth dates, the last four digits of social security numbers and the passwords used to log on to the database, the city personnel department said in an email to the affected job applicants.

Home addresses, phone numbers and full social security numbers were not believed to have been stolen, said the email, which recommended that victims change passwords, place a fraud alert with national credit bureaus and request a credit report.

The database for LAPD applicants was upgraded earlier this year and is more secure than the one that was breached, which is no longer active but still contains the applicants’ information, Ross said. Security for the defunct system has been strengthened since the attack.

Mayor Eric Garcetti made cybersecurity a priority in a 2013 executive directive, with a goal of making “our systems more resistant to penetration.”

Despite the constant barrage of cyberattacks against the city, this was the first successful attempt in recent memory, Ross said.

“We live in a world in which there are a lot of cybersecurity attacks, especially on government agencies,” Ross said. “We’ve made a lot of improvements and will continue to make them.”

The union that represents rank-and-file LAPD officers called last week’s data breach, which was first reported by NBC L.A., “a serious security issue for our members.”

“We urge the City of Los Angeles to fully investigate this lapse in security and to put in place the strongest measures possible to avoid further breaches in the future,” the Los Angeles Police Protective League Board of Directors said in a written statement. “We also call upon the city to provide the necessary resources and assistance to any impacted officer who may become the victim of identity theft as a result of this negligence so that they may restore their credit and/or financial standing.”

The city personnel department plays a major role in screening aspiring police officers. The database that was compromised belonged to the personnel department, not the LAPD, said Josh Rubenstein, an LAPD spokesman.

“The breach included some personal data from people who went though our recruit process,” the LAPD said in a written statement on Friday night. “Some of those individuals are now working for the department. All the affected individuals are being notified as we speak.”

The theft of the data by “a malicious third party” is believed to have happened on July 25, according to the email from the city personnel department.

The city has secured the database and is conducting an internal investigation, according to the email. The LAPD’s Computer Crimes Unit is also investigating.

In a written statement, a spokesman for Garcetti characterized the data breach as involving “limited information” from a database that is no longer in use.

“We take the protection of personal data very seriously, and the city has informed the individuals who may have been affected,” said the spokesman, Alex Comisar. “The city’s Information Technology Agency has added additional layers of security to guard against future events of this kind.”

©2019 the Los Angeles Times. Distributed by Tribune Content Agency, LLC.

Platforms & Programs