Sarah Ravani reports:
Oakland’s police union filed a claim against the city after a ransomware attack released personal information for thousands of current and former city employees, union officials said Monday.
The legal filing, which asks for monetary damages of up to $25,000 per affected employee, argues that the city failed to implement “reasonable, industry-standard security protocols for its information systems,” and as a result, employees’ personal information was released.
The filing comes nearly two months after the city reported a ransomware attack by a hacker group that released 12 years of city employee rosters, including a list of thousands of current and past employees’ Social Security numbers, driver’s license numbers, birth dates and home addresses.
$25,000 per employee? Perhaps they want to make a point with the complaint or are just angry that they found out more from the media than they did from their employer, but $25,000 is nothing like what would ever be awarded in a settlement or jury result.
Read more at SF Chronicle. The Play ransomware gang claimed the attack on Oakland, but we also saw LockBit post Oakland on their leak site. The city subsequently denied that there had been a second attack.
They have not denied that there has been a second massive data leak by Play, however. Oakland’s situation is one to note. The mayor has admitted that the city has absolutely no idea what data the threat actors exfiltrated, and they don’t know until the data are leaked. So far, Play has leaked two dumps. Do they have any more data? How long will Oakland have to watch to determine if there are more people they will have to notify? If Play has more data and strings out the leaks, Oakland could be dealing with rolling notifications and updates.
In her TV interview, Mayor Sheng Thao asserted, “It is illegal for people to actually go and actually download things from the dark web.” Once again, a politician proudly flaunts their ignorance of the law. It is not illegal to go to the dark web. It is publicly available. It is also not illegal to download many things from the dark web. However, downloading copyrighted material without permission of the copyright holder or downloading child pornography would be illegal in the U.S.