Long-term effects of the Oakland cyberattack

The City of Oakland has a long-term problem on its hands.

On February 8, Oakland was the victim of a ransomware attack that took many of its systems offline. Over the next couple of weeks, city officials focused on system recovery and public communication regarding services like permitting, licensing, and Oak311. They also worked with the FBI and other law enforcement agencies to investigate the origin and scope of the attack.

On March 4, the Play ransomware gang released 11.7 GB of data to prove that they had stolen Oakland’s files and to pressure the city into paying the double-extortion. The “leaktivist collective” known as Distributed Denial of Secrets (ddosecrets dot com) said the data was leaked after “about a month” of ransomware negotiations between the city and the attackers. The city confirmed the breach on March 6:

… We are dedicated to a thorough analysis to determine what and whose information is potentially involved, which will take time to complete. We are also coordinating this effort with law enforcement, including the FBI.

Based on the findings of this comprehensive review, we are actively notifying individuals whose personal information is determined to be involved as quickly as possible and in accordance with applicable law …

Despite these efforts, some victims were notified by consumer alerts before being notified by the city.

Oakland’s slow response

The last time we talked about Oakland was March 29, when city employees accused officials of ignoring and stonewalling them about the severity of the data breach. Local union leaders also claimed the real conditions of city systems were worse than the city had disclosed. Oakland officials responded by saying the ongoing investigation into the attack prevented them from releasing more information. The Oakland Police Officer Association filed a claim against the city on March 30, stating that over 9 GB of sensitive data and documents were leaked to the public. The claim requested $25,000 compensation for each member who had been affected by the breach. Less than a week later, a second set of data was published on the dark web. This time it was 600 GB.

An April 13 article by ABC 7 News detailed their own investigation into the data breach, which involved downloading the data and contacting “more than three dozen victims” whose Social Security numbers were exposed in the breach. The team reports that none of the victims had been notified by the city.

Oakland Mayor Sheng Thao explained the slow response:

"We are still going through what has actually been taken and dropped onto the black web … As you know, it takes time to download and so we're waiting."

The ABC 7 investigative team reported that they were able to download the entire 600GB set in less than four hours. This may not be a fair comparison since a formal forensic examination process takes longer than a common file download and content review. The city's investigation into the data leaks could legitimately take much longer than the public would expect. Oakland does have a perception problem though, as the timeline of events suggests that city officials were aware of the breach before the first data drop on March 4.

Ongoing problems for the city

The city’s problems with this attack started long before February 8, and they will last long into the future. A 2021 infrastructure audit warned city officials that Oakland was exposed to “ransomware attacks, cyberattacks, and other threats.” A class action lawsuit filed on April 25 seeks damages due to negligence and other privacy violations. The lawsuit alleges that city officials knew that Oakland was at risk yet failed to act on the warnings. The city is also earmarking $10 million over the next two years to “modernize and harden cybersecurity protections.”

Who knows what will happen over the next two years? Barracuda research shows that 38% of ransomware victims are attacked again in the next 12 months. Sometimes attackers leave a backdoor in the system, sometimes the original problems just aren’t fixed, sometimes it’s something else. We’ve identified several reasons for these repeated attacks. The point is, Oakland might not have two years to harden its systems. 

What about the next five or 10 years? The ripple effects cannot be predicted. Fitch Ratings stated that Oakland’s stable outlook could be negatively affected by the “fiscal impact of the cyberattack either due to litigation or cost of recovery and repair.” The city is already managing a budget crunch, federal oversight of the police department, and other unfortunate issues.

The city’s last update on the attack was posted on April 27. The investigation is ongoing and “nearly all” affected IT systems have been restored. The city also asks residents, businesses, and employees to remain vigilant against cyberthreats and identity theft. Use strong passwords, avoid suspicious messages and websites, and keep operating systems and applications patched and updated. Be sure to set up fraud alerts and put a freeze on your credit report. And if you are specifically warned that you are vulnerable to a ransomware attack, act on that information as soon as possible.

(Just kidding on that last one. The city never said anything about a warning.)