A flurry of legal complaints and a lawsuit have been filed against Oakland, California in the wake of a ransomware attack that disrupted city systems for weeks and months.
The Play ransomware group took credit for the attack and leaked 10 gigabytes of stolen information on current and former city employees when the city refused to pay a ransom. In April it dumped another 600 gigabytes of stolen data.
Plaintiffs have filed at least four legal claims against the city as it notifies about 13,000 current and former employees that their personal information was exposed in the attack, local newspaper Oaklandside reported.
A city spokeswoman told Information Security Media Group the breaches affected employees who worked for the city between July 2010 and January 2020 as well as a limited number of residents such as individuals who filed a claim against Oakland or applied for some federal programs through the city.
Under California law, anyone who wants to sue the state government or a public agency for damages must first file a claim. The agency has 45 days to respond. If it doesn’t do so, the claim is considered to be denied, allowing the claimant to sue in small claims court within two years.
After filing a complaint, Hada Gonzalez on April 25 filed a lawsuit, seeking class action status, that accuses the city of failing to take reasonable steps to protect employees’ personally identifiable information, as well as health information. The latter is a violation of the HIPAA security rule, Gonzalez asserts.
Gonzalez, a police services technician for the city, argues in the lawsuit that the exposure of her personal details leaves her at increased risk of identity theft. She also accuses the city of failing to inform victims about the breach and what was stolen in a timely manner, noting that it took 30 days to do so.
Legal experts say that lawsuits such as Gonzalez’s typically fail, because they must prove harm. The U.S. Supreme Court in a 2021 ruling limited plaintiffs’ standing to cases where they can demonstrate “concrete harm,” a decision that makes lawsuits brought by plaintiffs who can demonstrate financial harm at far less risk of dismissal.
With banks and payment card issuers typically reimbursing in full any losses a customer suffers due to fraud tied to identity theft, demonstrating harm for the loss of personal data is an often difficult threshold to meet.
Neither is thirty days an unusual period of time for a breached organization to take to identify who was impacted and then notify them, experts say. States’ data breach notification laws were designed to ensure breached organizations notify individuals in a timely manner – 30 to 45 days is a benchmark some experts recommend – so they can take steps to protect themselves against identity fraud.
The ransomware attack against the city came to light on Feb. 8, after which officials declared a state of emergency to aid recovery. Many non-emergency systems were offline for weeks, including city phone systems, preventing residents from paying bills or applying for permits or licenses. Officials said emergency systems, including the 911 call center for police and fire emergencies, continued to function, although police said they were unable to file multiple types of reports.
The city said it strove to contain the attack and immediately called in third-party digital forensic experts handle incident response and facilitate systems restoration, with the help of the governor’s Office of Emergency Services, and with law enforcement also investigating.
In the aftermath, the city said it was working “around the clock to implement recovery plans that will restore impacted systems as quickly and as securely as possible.” By Feb. 28, it had restored some major systems, including a telephone service for reporting flooding and sewer overflows.
The city appears to have declined to pay a ransom. To pressure the city into doing so, the Play ransomware group in early March listed the city on its data leak website together with a sample of stolen data, featuring financial and personally identifiable information, including pictures of driver’s licenses and passports.
Oakland subsequently confirmed that information for some current and former employees, spanning the period from July 2010 to January 2022, was stolen by the attackers. Officials said they were notifying affected individuals “in accordance with applicable law” and have been urging all potential victims to closely monitor their financial accounts for signs of fraud.
“Moving forward we will focus on strengthening the security of our information technology systems,” Mayor Sheng Thao said in a March 6 update.
That was the same day the mayor received a letter from the Oakland Police Officers’ Association, which accused her of “stonewalling” victims by failing to detail exactly what was stolen or how many individuals were impacted.
Coming just weeks after the attack, likely the city had yet to determine such details.
As of early May, the city reported that nearly all impacted IT systems had been restored and it was working through a backlog of crime reports, reported infrastructure emergencies, applications for business payments, invoices needing to be paid and other city matters.
The city also said that its investigation remain ongoing and that it was continuing to notify victims. The Oakland spokeswoman told Information Security Media Group that the city can’t comment on pending legislation/