Oakland officials, experts worry ransomware group may leak more 'sensitive' stolen data, sources say

Stephanie Sierra Image
Thursday, March 9, 2023
Oakland ransomware group may leak more stolen data: Sources
Oakland could be facing another data leak days after a ransomware group exposed its first batch of sensitive files stolen, sources say.

OAKLAND, Calif. (KGO) -- The city of Oakland could be facing another data leak days after a ransomware group exposed its first batch of sensitive files stolen off the city's network, sources tell the ABC7 News I-Team.

It's all part of the looming threat from the ransomware group "Play" that sources say claimed responsibility for the attack. The ABC7 News I-Team has learned "Play" is reportedly carrying out negotiations with federal investigators.

According to the hacker group's leaked site, the first batch of sensitive information leaked has more than 1,500 views on the dark web.

RELATED: Social security, bank info of Oakland employees, businesses may be compromised in ransomware leak

Cybersecurity experts say the implications of another leak could be likely with this group since only a portion of the data was leaked.

"With only a portion leaked, now they're kind of hoping that the city sees the real threat and they're attempting to get that ransom to be paid now," said Jake Aurand, who specializes in counterintelligence for cyber security software firm Binary Defense.

Aurand has studied ransomware attacks, including previous hacks by "Play." He says the group was first identified in June of last year and gained notoriety after attacking Argentina's Judiciary of Cordoba and the German hotel chain "H-hotels."

"Play doesn't seem to have one specific targeted industry or geographical location," Aurand said. "They really just go after anything they can access."

So how did these hackers get into Oakland's network?

RELATED: Expert explains how City of Oakland may have become victim of ransomware attack

How did the City of Oakland become a victim of a ransomware attack? Expert says a phishing email could be to blame.

"It could've been done through a phishing email that someone clicked on and gave up their credentials, or it could've been done through vulnerabilities," Aurand. "So if there was a vulnerability in a system that wasn't patched."

The leaked files may contain the personal and financial information of thousands of current and former city employees and business owners.

"It's a new day," said Oakland City Councilmember Noel Gallo. "We have to be better prepared."

Gallo says it's still unclear how "Play" accessed their network but it appears the city did not have the proper protections in place. According to the mayor's office, the city does have antivirus software protection. But Aurand says that alone won't prevent an attack like this.

"What happens to this data after it's leaked?" Sierra asked.

"It becomes publicly available, anybody can really gain access to it," Aurand said.

RELATED: City of Oakland says ransomware attack 'contained' as services slowly come back online

According to cyber analysts, the data "Play" allegedly stole from the city's network and leaked to the dark web has a list of every victim exposed and a download link will be provided if you click on their name.

Aurand says the hacker group's page on the dark web linking to the stolen data already has more than 1,500 views -- adding now the concern is the information could be sold to other hacker groups.

"They'll try to identify any big names or high-profile people within it and start their attacks there," he said. "Trying to use email addresses or social security numbers or driver's license numbers to commit tax fraud or identity theft."

A slew of problems that may plague Oakland for years.

RELATED: Here's a look at how other cities solved their cyberattacks

"I've been employed for many, many years in the political landscape here and this must be one of the greatest challenges we've had," Gallo said.

"We're going to have to make some budget adjustments to make sure that our technology is in operation, but also the safety features necessary will be implemented."

Gallo added these investments will need to be prioritized but added it won't be easy. The city is bracing for a nearly $200 million deficit next year.

Mayor Sheng Thao was unavailable for an interview, but told the I-Team in a statement "we're taking this seriously."

The city has provided a number for people to call to check whether their information was compromised in the leak and to get help accessing available resources - 866-869-1861.

Take a look at for a look at more stories by Sierra Stephanie and the ABC7 News I-Team.

Now Streaming 24/7 Click Here

If you're on the ABC7 News app, click here to watch live