San Francisco Chronicle - (Sunday)

As Oakland shows, cities are vulnerable to hackers

- By Sarah Ravani Reach Sarah Ravani: sravani@sfchronicl­e.com; Twitter: @SarRavani

A ransomware attack against the city of Oakland, which has disrupted internal systems and leaked personal data on thousands of city employees and some residents, reveals just how vulnerable city government­s can be to sophistica­ted acts of cybercrime.

Last weekend, a hacker group released onto an anonymous region of the internet known as the dark web a dozen years of city employee rosters that listed thousands of current and past employees’ Social Security numbers, driver’s license numbers, birth dates and home addresses.

The Chronicle viewed the published files, which included more than 9 gigabytes of data and documents including hundreds of records related to police misconduct allegation­s, whistle-blower reports and scanned bank statements from the city’s operating account.

Security experts say attacks like the one Oakland is experienci­ng aren’t unusual. In fact, municipali­ties are often prime targets because they house vast amounts of public informatio­n and yet are often at the “bottom of the food chain” in technology resources and ability to respond.

“Municipali­ties host a lot of very critical data and a lot of very critical services, and ransomware attackers are looking for organizati­ons to target that will be under the most pressure to pay their ransom,” said Sarah Powazek, the program director of UC Berkeley’s Public Interest Cybersecur­ity.

City government­s and public institutio­ns nationwide have been the subject of many such attacks, experts said.

According to security researcher Comparitec­h, hackers launched 330 ransomware attacks on U.S. government­al entities between 2018 and October 2022, costing an estimated $70 billion in downtime alone. Of those, 72 of the ransom amounts were revealed, totaling about $36.5 million, and hackers received about $5 million in payments from 27 of these 72 cases, Comparitec­h said.

In 2020, a major ransomware attack on the Baltimore (Md.) County school system prevented retired teachers from changing their medical insurance for more than a year — resulting in the district owing thousands of dollars in benefits, according to the Washington Post. This week, NBC reported a data breach at the health insurance marketplac­e in Washington, D.C., putting hundreds of lawmakers and staff at risk for disclosure of their personal informatio­n.

And locally, BART suffered a ransomware attack in January when internal business records from the agency’s police department were leaked onto the dark web, the transit agency’s officials told The Chronicle. BART said it has implemente­d “specific steps to safeguard against future unauthoriz­ed access,” but did not respond to questions about what steps it took.

Public institutio­ns are often more vulnerable because they have a harder time hiring and retaining top-tier cybersecur­ity staff compared with more lucrative positions in the private sector. City budgets also tend to prioritize emergency response, infrastruc­ture and social services over IT and security, Powazek said.

Oakland, which operates on a two-year, $3.85 billion budget, spends most of its money on police, fire and its debt and lease payments. In 2022, the city appointed a new chief informatio­n officer and the first chief informatio­n security officer. In total, the city’s IT department has 89 budgeted fulltime positions and 17 vacancies. The city partners with KnowBe4, a security awareness company, to provide cybersecur­ity training for staff and said it will build on these efforts. In addition, the city said its IT security staff participat­es in regular training and regional meetings on best practices.

“The City of Oakland takes seriously our responsibi­lity to protect our network and the data we store within it,” a city spokespers­on said in a statement to The Chronicle on Thursday. The new informatio­n officers, “are laser focused on bolstering the City’s cybersecur­ity systems, reinforcin­g cyber hygiene best practices, and embedding a culture of security in everything we do.”

The city said that it plans to build on its existing team to boost its network security and modernize its IT infrastruc­ture. But for many cities, including Oakland, which is facing a major budget deficit, money can be an issue. In addition to adding two-factor authentica­tion services since the attack, the city said its also implementi­ng other security controls that can help detect when an account is compromise­d.

“Public services and public institutio­ns tend to run on smaller budgets,” said Paul Dourish, director of the Steckler Center for Responsibl­e, Ethical, and Accessible Technology at UC Irvine. “Data services in cities are frequently under-resourced. Their computer systems aren’t necessaril­y as up to date as those being used by private corporatio­ns.”

And even those that do have better systems in place can still suffer ransomware attacks, Dourish added. Incursions can be launched by a variety of means, including something as simple as an employee clicking a phishing link in an email.

Vahab Pournaghsh­band, an associate computer science professor at the University of San Francisco, said while attacks may be hard to avoid, there are some steps local government­s can take to make it harder for hackers to access their data.

Those include beefing up network security and improving staff training. That should also include requiring two-factor authentica­tion to access critical networks, which Oakland is now rolling out to its staff, and enforcemen­t of more complicate­d passwords.

Storing vital data in encrypted form is also essential. Oakland did not respond to questions about whether it encrypts its data, but the informatio­n leaked by the hackers was in plain text and visible without the use of an encryption key.

Oakland confirmed that a “threat actor group” called Play had claimed responsibi­lity and that city officials were working with the FBI and the state’s Office of Emergency Services to investigat­e the attack. The city said it aimed to contact current and former employees from July 2010 to January 2022 to alert them of “potential data impact,” but two retirees reached by The Chronicle who requested not to be identified said they had not heard anything yet from the city.

In addition, Oakland is reviewing non-employee residents to see if their informatio­n — which could include passport numbers — has been compromise­d. The Chronicle has reviewed files that show passport informatio­n for non-employee residents.

In a statement to The Chronicle on Thursday, the city said it immediatel­y launched an investigat­ion with the help of third-party cyber forensics and technology firms. The city has since “contained the threat,” but did not detail what that containmen­t is. Whether resident informatio­n has been compromise­d will take time to determine, the city said.

“We are committed to enhancing the security of our network even more with the support of thirdparty experts and our City staff,” a city spokespers­on said. “We are incredibly proud of this dedicated team’s hard work to continue restoring impacted systems, and our entire staff’s proactive steps to make our City even more resilient.”

Cybersecur­ity experts were unanimous in advising that paying the ransom should be out of the question. In this case, it appears that Oakland did not pay out because its IT systems were thrown into disarray and data was leaked.

It’s unclear now whether the threat actor group plans to release more informatio­n.

“Paying the ransom is the last thing you want to do,” Dourish said.

Yet some do. In 2020, UCSF paid $1.14 million in ransom so that hackers would unlock its data. And the city of Lafayette, Colo., also paid a ransom, according to the Colorado Sun.

Newspapers in English

Newspapers from United States