IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Authorities Investigate Data Released in Oakland Cyber Attack

The FBI and third-party specialists are working to determine the contents of the released city data. Officials said the Feb. 8 ransomware attack was perpetrated by the threat actor group Play.

(TNS) — An unauthorized third party has released stolen files from Oakland's computer network — the latest development in a ransomware attack that the city has struggled to contain for nearly a month.

A spokesperson for the city said Oakland was working with third-party specialists and law enforcement to determine the contents of the released files. If the files are found to contain personal information, the involved individuals will be notified.

Oakland said in a statement to The Chronicle that it is currently working with the FBI and the state's Office of Emergency Services to investigate the attack.

Late Friday, for the first time the city revealed the identity of the organization responsible for the ransomware demand: a "threat actor group" called Play. According to IT management company Avertium, Play launched in June 2022 and has been previously responsible for ransomware attacks on Argentina's Judiciary of Cordoba and the German hotel chain H-Hotels. It's unclear why the group targeted Oakland.

An internal email sent by G. Harold Duffey, the interim city administrator, and obtained by The Chronicle, encouraged city employees to "follow best practices when it comes to protecting your information by remaining vigilant against incidents of identity theft and fraud."

"It would be prudent to regularly review your financial accounts such as credit card accounts, checking and saving accounts," Duffey's email said. "If you notice any suspicious or unauthorized charges or withdrawals, contact your financial institution immediately."

"The privacy and security of the data entrusted to us is of the utmost importance to us," Duffey wrote. "We take seriously our responsibility to safeguard this information and continue working with cybersecurity experts to further enhance the security of our systems."

Barry Donelan, the president of the police union, told The Chronicle that the city hasn't specified what files were taken, but he's assuming that all personal files for city employees and anyone affiliated with the city could be at risk.

"You have to assume the worst and hope for the best," Donelan said.

The ransomware attack, which occurred on Feb. 8, has disrupted the city's ability to process parking tickets and business licenses. Parking citations payments must still be paid online. Cashier booths and cashiers still cannot make phone calls to process parking tickets.

In mid-February, the City Council declared a state of emergency over the cyber attack. The city has not released details on why they're calling it ransomware and whether — or how much — Oakland may have paid to the attackers. It's unclear when the city's systems will be fully restored.

The city said in a Tuesday update that the 311 phone system was back up and running after being impacted during the storms last week.

Chronicle staff writer Jordan Parker contributed to this report.

©2023 the San Francisco Chronicle, Distributed by Tribune Content Agency, LLC.