Ransom gang leaks trove of sensitive data from City of Oakland attack


The Play ransomware gang has made good on its threat to publish thousands of sensitive files it stole during last month's hack on the city of Oakland, California.

The city of Oakland, California, can’t get a break as the Play ransomware gang holds a massive cache of stolen files hostage.

ADVERTISEMENT

Still reeling from a February 8 ransomware attack – which took most Oakland city services offline – the hackers responsible for the attack have now leaked almost 10 gigabytes of sensitive government files on its official extortion leak site.

What’s more, the Play gang, also known as PlayCrypt, are threatening to release more stolen information in the coming weeks.

"Our investigation to date has further determined that the involved files contain employee information dating from July 2010 to January 2022," the city stated in a March 8 update on its website.

Officials said current employees whose personal information was breached in the attack have been since notified and formal letters will be mailed to all employees involved.

“My administration takes this very seriously and has been working hard to restore systems and provide assistance to anyone impacted,” said Oakland Mayor Sheng Thao in response to the latest development.

“Moving forward, we will focus on strengthening the security of our information technology systems.” Thao said.

An update about the leak was posted on the Oakland city website.

ADVERTISEMENT

This is the first time the ransomware group responsible for the attack was revealed and the city acknowledged that files had been stolen.

Play threatened on its leak site to upload all the stolen files if the ransom demands are not met, according to the website Gov Info Security.

The city has not revealed how much ransom Play has asked in exchange for the stolen data.

Stolen data posted on the Play leak site is said to include 12 years of city rosters that list thousands of current and past employees’ social security and driver's license numbers, birth dates, and home addresses, reported the San Francisco Chronicle.

Personal files belonging to the Oakland Mayor and her predecessor were also published, the Chronicle added, also noting the stolen documents included hundreds of records related to police misconduct allegations and scanned bank statements from the city’s operating account.

On March 3, the city of Oakland announced it had become aware the ransomware group intended to release the stolen information publicly, but officials did not specify when that would happen.

“Based on the findings of this comprehensive review, we are actively notifying individuals whose personal information is determined to be involved as quickly as possible and in accordance with applicable law and providing resources to protect the personal information of those impacted,” the city said.

The initial ransomware attack was discovered when IT teams noticed suspicious activity in the city network systems.

Several non-emergency systems had been offline since the February 8 attack, including phone lines and Wi-Fi, causing the city to take the entire system offline as a precaution and close access to many municipal buildings.

By February 14, Oakland officials were forced to declare a state of emergency, and the following week they called in the California National Guard and Governor’s office to help sort through the aftermath.

ADVERTISEMENT

Since then, many services, including Wi-Fi wifi access, have been restored, but the city said it is still working with “third-party and information technology specialists from Cal OES [California Governor's Office of Emergency Services] to fully restore any impacted systems." It further claimed it had "made significant progress.”

According to the ransomware-monitoring site Darkfeed, the City of Oakland is listed as Play’s most recent target, out of a total 42 victims, since the gang first appeared on the scene in June 2022.

Using similar tactics as Hive ransomware group, Play has notched up some high-profile victims including cloud computing company Rackspace, German hotel chain H-Hotels, and Argentina’s Judiciary of Cordoba.