Cyber Incident Victim: Los Angeles City Attorney
Date:
Mar 2026
Location:
United States of America
Summary
Hackers gained access to an unprotected file‑sharing system used by the city attorney’s office to exchange discovery materials, copying hundreds of thousands of files that included civil lawsuit documents, police personnel records, body‑camera footage and medical information. The compromised data amounted to several terabytes and was posted on a dark web site by a ransomware group that claimed responsibility. City officials said the breach was confined to the third‑party tool, notified the FBI and began an internal review, while police unions and elected officials criticized the delayed disclosure and lack of transparency. The exposure raised concerns about the possible reuse of sensitive information in new or reopened legal actions and prompted calls for stronger safeguards on shared legal repositories.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The breach was first announced by the ransomware collective WorldLeaks on March 20, when the group began teasing small samples of the data on its dark‑web site; the full dataset was published on March 27, taken down after roughly eight hours, and then reappeared twice in early April. City officials later determined that the incident likely began sometime in March, with an internal link used by the city attorney’s office to access the files being clicked at least 5,000 times on the first day of the breach. The files were stored in a file‑sharing system that had been created after the George Floyd protests to handle a surge of civil lawsuits against the LAPD, allowing attorneys on both sides to access discovery materials, some of which were subject to court‑ordered privacy protections. Sources described the system as akin to Dropbox or Google Drive, intended for restricted access but left without a password because city officials believed it needed to be available to outside attorneys assisting with litigation. Over time the system expanded beyond its original purpose and came to contain records from hundreds of lawsuits involving the LAPD.
The compromised inventory examined by The Times consisted of approximately 337,000 to 340,000 files amounting to millions of pages and roughly 7.7 terabytes of data. The material included civil lawsuit files ranging from trip‑and‑fall cases to allegations of police excessive force, personnel files for dozens of current and former officers, medical records from thousands of cases in which police or other city employees were accused of misconduct, and thousands of hours of uncut body‑camera footage. Specific items noted in the inventory were personnel files for LAPD officers accused of using excessive force against a Black military veteran during a 2021 traffic stop, files containing the identities of witnesses who saw a man die after officers knelt on him during an arrest, and a lawsuit over an alleged sexual assault by a police officer that was set for trial the following week. At least 1,060 of the files were marked as confidential, and the data also contained discovery documents from previously adjudicated or settled LAPD civil litigation cases.
Upon discovering the compromise, the city attorney’s office said it immediately alerted senior LAPD officials and the city’s IT department, began regular contact with other city departments to assess the scope, and secured the file‑sharing tool while investigating what information had been accessed. A spokesperson for the office, Ivor Pine, stated that the incident involved unauthorized access to a third‑party tool used to transfer discovery to opposing counsel and litigants, and that no other city applications, systems, or department records were involved. The LAPD echoed this, issuing a brief public statement acknowledging the disclosure of discovery documents from closed cases and emphasizing that the breach did not affect any LAPD systems or networks. The FBI opened an investigation into the matter, and the city attorney’s office referenced an April 17 public report that concluded the incident was contained to the third‑party environment.
The breach has generated political and operational repercussions. City Atty. Hydee Feldstein Soto, who is seeking reelection, received the endorsement of the Los Angeles Police Protective League, but union officials contended she did not inform them of the leak until they learned of it from the news on Tuesday evening, prompting the union to issue a scathing statement criticizing the lack of urgency and forthrightness. Feldstein Soto’s challenger, John McKinney, who leads the major crimes bureau at the L.A. County district attorney’s office, said the lack of transparency is unacceptable and could put witnesses and LAPD families at risk. Lawyers representing police officers reported numerous calls from clients concerned that their personnel and medical records had been exposed, warning that the leak might lead to costly litigation; about 900 officers are currently suing the department over the 2023 release of mugshot‑style images from a public records request. An untold number of internet users have downloaded the terabytes of data since its release, and what consequences may emerge from that distribution remains to be seen.