Cyber Incident Victim: Azusa Police Department
Date:
Mar 2021
Location:
United States of America
Summary
The Azusa Police Department experienced a ransomware attack by the DoppelPaymer group, which disrupted certain computer systems but left emergency services operational. Following the department's refusal to pay the ransom, attackers leaked stolen files containing police investigation records, patrol reports, financial data, and sensitive personal information such as Social Security numbers, medical details, and license plate recognition data. The breach prompted an investigation with third-party specialists, leading to notifications for affected individuals and the establishment of a dedicated assistance line offering credit monitoring services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 9, 2021, the Azusa Police Department in California discovered that certain computer systems had become inaccessible, prompting immediate engagement with law enforcement partners and third-party specialists to investigate the incident’s source and scope. The department confirmed that critical public safety services, including 911 systems and emergency operations, remained fully functional despite the disruption. By March 17, the DoppelPaymer ransomware group listed the department on its leak site, indicating the attack was a ransomware incident and that the department had refused payment demands. The threat actors escalated pressure on April 22 by publicly releasing a sample of exfiltrated files, which included police investigation records, patrol officers’ reports, and financial or payroll-related information, though the full extent of stolen data remained unclear. The department’s internal investigation progressed, and on April 27, officials confirmed attackers had acquired files, initiating a deeper review to identify compromised data.
By May 20, 2021, the investigation revealed that exfiltrated information potentially included Social Security numbers, driver’s licenses, California ID cards, passport and military ID numbers, financial account details, medical and health insurance records, and automated license plate recognition system data. The department issued a formal notification on May 28, detailing the breach timeline and establishing a dedicated assistance line for affected individuals, operational Monday through Friday from 6 a.m. to 6 p.m. Pacific Time. Credit monitoring services were offered to those potentially impacted, though the department did not disclose the number of affected individuals or specific operational disruptions beyond the initial system inaccessibility. The attackers did not specify the total volume of data acquired, leaving the complete scope of the breach unresolved in public reporting. Throughout the incident, the department maintained continuity of emergency services while focusing on forensic analysis and stakeholder communication.