Late this winter, an international hacking syndicate suspected of conducting ransomware attacks around the globe turned its attention to the police department in the San Gabriel Valley city of Azusa, California.
Through means that remain unclear, the hacking group DoppelPaymer appears to have infiltrated computers in the 63-officer department and gained access to critical data. A demand for money followed.
For the next 2½ months, officials in the city of 48,000 kept the hack a secret. They said nothing in March as they strategized with the FBI, Los Angeles County Sheriff’s Department and ransomware consultants, and remained mum in April when they opted not to pay, and hundreds of highly sensitive files, including criminal case files and payroll data, spilled out online.
It was only on Friday, the eve of a Memorial Day weekend and a preferred time for organizations to quietly release negative news, that the city first acknowledged the hack and its potential risk to the privacy of residents and employees.
An Azusa Police Department news release announced a “notification of data security breach” stemming from a “sophisticated ransomware attack.”
“The investigation determined that certain Azusa Police information was acquired by the unauthorized individual during the incident,” it said. Those materials, the release said, “may have included” Social Security numbers, driver’s license numbers, medical information, financial account information and other records.
Police have not proactively warned individuals mentioned in the records, but those who have provided sensitive information to the police are being directed to a special hotline and are urged to contact credit agencies, Azusa Police Capt. Christopher Grant said.
To some who monitor the work of hackers, the announcement was disturbingly understated. The perpetrators posted seven gigabytes of Azusa records on the so-called dark web, where they remain accessible. The index page of the police data has been visited more than 11,000 times since late April.
“This was nothing like those kinds of hacks where credit monitoring helps,” said Adrian Riskin, a math professor who blogs about L.A. municipal politics. “There are surveillance videos and gang activity reports and incredibly secret stuff.”
Riskin shared with The Times a selection of records posted on a DoppelPaymer site. They included payroll files for officers, a spreadsheet that appears to identify Azusa gang members along with their nicknames, cellphone numbers and home addresses; crime scene and booking photos; investigative reports referencing confidential informants; and an audio interview with what appears to be a cooperating witness.
“They just acted like [the hackers] got people’s passwords or something,” Riskin said of the city’s response.
Grant, who oversees administrative operations for the police department, denied that officials were trying to hide or downplay the cyberattack. An ongoing criminal probe has limited how much the department can say publicly, he said, and investigators are still trying to determine everything that was stolen.
“I would love to see what information he has to help us out,” Grant said of Riskin. “We are continuing to sift through this and analyze the extent of the information out there.”
Azusa is among several U.S. law enforcement agencies targeted in this year’s wave of ransomware attacks. The Illinois attorney general’s office and the police in Presque Isle, Maine, were hacked this spring, and a group called Babuk hacked personnel records and other material from the Washington, D.C., police department and recently demanded a $4-million ransom.
“These things can be very, very bad,” threat analyst Brett Callow of the security company Emsisoft said of the type of data at risk in law enforcement breaches. To hackers, he said, the particular mission of an organization is unimportant. “If the organization can pay, it is at risk.”
In Azusa, officials have not revealed how much the hackers demanded. In a December bulletin about DoppelPaymer, the FBI said the syndicate has routinely demanded “six- and seven-figure ransoms in Bitcoin” since the group emerged two years ago. DoppelPaymer is also known to phone victims to pressure them to come up with the money.
Mayor Robert Gonzales said that as officials discussed how to respond to the hackers, Azusa’s insurance carrier made it clear the city would be on its own financially.
“They have said this is one of the things they won’t pay for — ransom,” Gonzales said.
After the hackers posted the records, he said, there was still significant confusion about what data had been breached. He said he wanted to be transparent, but he was also listening to law enforcement officers tracking the hackers.
“We had to give the information out gingerly,” Gonzales said, adding that he hoped federal and state government officials would assist municipal leaders. “We need help.”
© 2021 Los Angeles Times Distributed by Tribune Content Agency, LLC