Cyber Incident Victim: City of Torrance

On March 1, 2020, the City of Torrance, California, experienced a cyberattack attributed to the DoppelPaymer ransomware group. Attackers encrypted approximately 150 servers and 500 workstations, disrupting municipal operations. The ransomware operators claimed to have erased local backups prior to encryption, limiting recovery options. During the attack, approximately 200 GB of data—equivalent to 269,123 files across 8,067 directories—was exfiltrated. This data included sensitive city documents such as budget financials, accounting records, scanned documents, and archives belonging to the City Manager. The attackers demanded a ransom of 100 bitcoins (approximately $680,000 at the time) in exchange for a decryption key, deletion of stolen files from their servers, and a promise not to release additional data. Local media reported the cyberattack on the same day, with city officials initially stating no public personal data was compromised.

In April 2020, DoppelPaymer operators published stolen files on their "Dopple Leaks" site under a dedicated "City of Torrance, CA" page, contradicting the city’s earlier assurances. The leaked archives contained operational and financial documents, demonstrating the theft’s scope. The group had previously established this leak site in February 2020 to pressure victims into paying ransoms and had sold stolen data on dark web forums when payments were not made. DoppelPaymer’s tactics mirrored prior attacks, including a November 2019 incident against Mexico’s Pemex Oil involving a $4.9 million ransom demand. The City of Torrance did not publicly confirm whether it negotiated with the attackers or paid the ransom. The incident highlighted risks to municipal infrastructure, including operational disruption, data exposure, and financial extortion attempts by ransomware groups leveraging double-extortion tactics.