Cyber Incident Victim: City of Oakland
Date:
Feb 2023
Location:
United States of America
Summary
The City of Oakland experienced a ransomware attack that disrupted non-emergency systems, prompting the shutdown of affected networks to contain the incident while critical services such as 911 dispatch and emergency response remained operational. Personal information of current and former employees spanning over a decade, along with data from some residents involved in claims or federal programs, was compromised. Following the attack, a local emergency was declared to expedite recovery efforts, which involved collaboration with cybersecurity experts, law enforcement, and state agencies. The unauthorized actors later released additional stolen data on a non-traditional website. Impacted individuals were notified and offered resources including credit monitoring and a dedicated call center, while restoration of services such as permitting and payment systems progressed in phases.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of February 8, 2023, the City of Oakland experienced a ransomware attack that disrupted municipal operations, with impacts becoming apparent during the early morning hours of February 9. The City's Information Technology Department immediately took affected systems offline to contain the intrusion and initiated an investigation with law enforcement agencies, including the FBI. Core emergency services—911 dispatch, fire response, and financial systems—remained operational throughout the incident. By February 10, the City confirmed the ransomware nature of the attack and warned residents to expect service delays. Interim City Administrator G. Harold Duffey declared a local state of emergency on February 14 to expedite resource procurement and activate emergency protocols. This declaration enabled deadline extensions for business tax license payments, moving the original March 1 due date to April 17 without penalties.
Service disruptions persisted through late February, affecting Oak311 phone systems, parking citation processing, online business tax payments, and permitting operations. The City implemented workarounds such as online permit applications and in-person payment assistance while restoration efforts continued. California Governor’s Office of Emergency Services (CalOES) deployed IT specialists starting February 23 to assist with workstation recovery. By February 28, partial restoration allowed Oak311 phone services to resume for urgent issues, though non-emergency reporting still required online submissions. On March 3, officials confirmed attackers had exfiltrated data from City networks, with subsequent updates revealing the unauthorized party began releasing files publicly. Forensic analysis determined compromised records included personal information of current and former employees from July 2010 to January 2022, as well as residents involved in claims against the City or federal program applications. Notification letters to affected employees commenced in March, followed by resident notifications in April, accompanied by a dedicated call center and email support ([email protected]). The City engaged third-party data mining firms to analyze the breach scope while monitoring dark web channels for further data leaks. Restoration of payment systems and online services progressed through March, with Mayor Sheng Thao committing to strengthened cybersecurity measures amid ongoing recovery operations.