The Chronicle viewed the published files using a link that was published on the dark web over the weekend. The files include over 9 gigabytes of data and documents including hundreds of records related to police misconduct allegations and scanned bank statements from the city's operating account.
Some of the documents appear to be public records, like lawsuits filed against the Oakland Police Department. But other records, like the Social Security information, could have adverse consequences for the people whose information was released.
"I'm very worried about identity theft," said one city employee whose personal information was released, and who spoke on condition of anonymity because he was not authorized to comment publicly. "It's another example of the city not protecting the people who work tirelessly for them."
The data breach raises questions about the security of the city's systems. The city has not disclosed how the ransomware attack occurred. Both current and former employees said the city did not have two-factor authentication, a second layer of security to password-protected accounts, for staff until after the ransomware attack. Cybersecurity experts said it's unclear whether two-factor authentication could have prevented the attack without knowing what caused the hackers to be able to gain access.
"We think the city of Oakland has been negligent in their handling of our data," said Zac Unger, a firefighter and president of the union representing firefighters. "We've been telling them for years they should be more careful about the data."
The release of personal information could leave people vulnerable to identity theft and tax identity theft. A "bad actor" could use the information to get fraudulent tax refunds, apply for a line of credit or commit financial theft if routing numbers and credit card information are available, said Sarah Powazek, the program director of UC Berkeley's Public Interest Cybersecurity.
Powazek noted that local governments, like Oakland, "make really great targets for ransomware" because they host critical public infrastructure, but may not have the resources to defend against an attack. She said because the group released the data, it's likely Oakland did not pay the ransom. The city has not disclosed how much they were asked for in ransom or whether they were asked for ransom at all.
The city said in a statement to The Chronicle that it is working with a third-party data-mining firm to do an "in-depth review" of the released data, which will likely take time. Based on what they find, they will notify staff, the city said.
"My administration takes this very seriously and has been working hard to restore systems and provide assistance to anyone impacted," Thao said in a statement. "Moving forward we will focus on strengthening the security of our information technology systems."
City officials sent an email to current employees on Monday, obtained by The Chronicle, saying that the city had sent a notification about the breach to all staff over the weekend. However, some current and former employees said they did not receive the notification.
The city held a town hall on Thursday for current staff detailing recovery efforts and addressing payroll concerns. They told staff they will be required to register for multifactor authentication by mid-month. The city has also offered employees a complimentary membership to Experian, which offers people help with detecting whether their identity has been stolen and what to do if a theft occurs. It's unclear if an Experian membership has been offered to former employees.
In addition, City Administrator G. Harold Duffey advised staff in an email, obtained by The Chronicle, to "remain vigilant by reviewing your account statements and credit reports for any unauthorized activity over the next 12 to 24 months."
Still, some staff said they feel the city hasn't been completely transparent with staff about its efforts.
"It's been a pathetic response, terrible communication and if you ever wondered if the city valued your service, you learned that they don't," said Barry Donelan, president of the police union. "It's disingenuous emails that lack any substance whatsoever."
One former employee told The Chronicle that the city did not communicate with them, and that they were exchanging information with other former staff on how to protect their data.
Officials confirmed to The Chronicle on Friday that the data had been leaked and that they were working with the FBI and the state's Office of Emergency Services to investigate the attack. The city said that a "threat actor group" called Play has claimed responsibility.
According to IT management company Avertium, Play launched in June 2022 and was responsible for ransomware attacks on the judiciary of the state of Cordoba in Argentina. It's unclear why the group targeted Oakland.
The attack, which started Feb. 8, disrupted the city's ability to process parking tickets and business licenses and pay its employees.
Unions said some city staff are still not being paid properly for the hours they work. The city's email to employees on Monday said payroll staff were able to "complete the reconciliation process" for unpaid and underpaid employees on Friday night and that employees should receive missing wages either Monday or Tuesday.
Unger said the city had previously replicated past paychecks to continue paying staff. For staff like firefighters — who might work 48 hours in one pay period and more than 100 hours the next — the city's strategy hasn't worked.
"Half of our members got underpaid," Unger said. "And this is not even talking about overtime."
"The HR department has let down its employees here. We need communication and clarity from them and it's been a string of broken promises. They've been promising for 10 days now that my members will get paid," he said.
Unger also said that in response to the attack, the city asked all employees to register using two-factor authentication about a week ago. But some city staff have had issues registering and as a result, have lost access to their city emails — making it impossible for them to know if they've been notified by the city if their data had been leaked.
Some City Council members said they were being briefed about the attack in closed session meetings and declined to share details.
"We the city are being very cautious to what we say publicly because we don't want to tip our hand to the ransomware perpetrators," said Council Member Dan Kalb. "This is still a situation in progress."
Council Member Kevin Jenkins said he isn't too worried about his own information being leaked, but is focused on how employees are impacted.
"I am a public figure," Jenkins said. "I figure at some point it's going to happen."
In mid-February, the City Council declared a state of emergency over the cyber attack.
©2023 the San Francisco Chronicle, Distributed by Tribune Content Agency, LLC.
