Torrance municipal officials have belatedly acknowledged that hackers stole a huge trove of computer files containing sensitive personal information of employees and “others,” that may have come from compromised city servers during a cyberattack discovered last month, but have yet to inform those whose data was taken.
“We sincerely apologize and regret any concern this incident may cause our employees and others who interact with the city,” the city said in a press release issued Thursday, April 23. “We are working hard to determine if this information originated from our systems and will notify affected individuals as soon as is reasonably possible.”
City Manager LeRoy Jackson later clarified via email that an on-going criminal investigation “constrains what information can be made available.”
The March 1 cyberattack by a ransomware group cut off access to the city’s own website, as well as municipal email accounts and also compromised the city’s credit card payment system. That meant residents couldn’t pay such things of utility bills and permit fees with plastic.
Brett Callow, a Canada-based threat analyst with anti-malware software company Emisoft, said the cyberattack “represents a significant risk to both the public and other organizations that have interacted with the city.
“This is an example of how not to handle a security incident,” Callow said via email. “Torrance’s network was compromised by a ransomware group which is known to steal data.
“In fact, the group’s ransom note actually states that the stolen data will be made public unless the ransom is paid,” he added. “This incident should have been treated and disclosed as a potential data breach from the outset.”
City officials have not detailed what information was stolen or how much.
But Callow said the amount of pilfered data online was vast.
“In total, there is more than seven gigabytes of data consisting of more than 7,000 individual files,” he said. “The group claims to have stolen 200 gigabytes of data (containing) 250,000 individual files.”
Callow provided images to the Daily Breeze of a few files at random.
They included an arrest warrant and criminal investigation report issued by the Torrance Police Department, city credit card account information and a pay stub for a current city employee. The records contained social security numbers, addresses, drivers license numbers and other personal information.
In a presentation to the City Council last Tuesday, Finance Director Eric Tsao said “preliminary findings” into the security breach found no evidence hackers had stolen anyone’s personal information.
However, that same day Tsao said the city learned stolen data had been posted online, although he added it was unclear whether it actually came from municipal servers.
“The data is also being reviewed by legal to assess whether the city has any notification obligations,” Tsao’s presentation observed. He added that the city’s servers had largely been restored.
However, Callow said affected people should be notified as quickly as possible so they can take proactive steps to ensure their credit card and other financial data remains secure.
The data can be used for identity theft or sold online, he said.
“We’ve seen data dumps such as this being sold and traded on the dark web,” he said. “This is why it’s critical that incidents are disclosed as quickly as possible.
“If individuals are kept in the dark,” he added, “they may only find out their personal information has been compromised when they receive a statement for a credit card they did not apply for.”