City officials ask how thousands of sensitive LAPD files got leaked
Following a recent data breach that saw hackers seize a vast trove of confidential police records, Los Angeles leaders have demanded an explanation from the city’s top lawyer, whose office was targeted.
What they’ve gotten so far, according to Councilor Ysabel Jurado, are answers that only leave more questions.
In an interview, Jurado said she expected City Attorney Hydee Feldstein Soto to appear before the Government Operations Committee this week, but instead received an internal report offering a “high-level view” of the breach that left many key details unanswered.
“When did the city attorney’s office become aware of this, what steps were taken and why were city officials not informed promptly? » said Jurado. “Right now, we still have to wonder and try to piece the information together.”
The Times reported the existence of the hack last week, prompting further scrutiny from public officials — some of whom, like Jurado, said they had not previously been informed. Since then, the newspaper has examined an inventory of 337,000 compromised files.
The documents run into millions of pages and appear to mostly come from civil lawsuits against the city that were resolved in court. They range in nature from trip and fall cases to excessive police force.
During a brief Council committee discussion Tuesday morning, Jurado said she received information that an internal link used by the city attorney’s office to access files was clicked on at least 5,000 times on the first day of the breach, which is believed to have occurred sometime in March.
The files were not password-secured, according to sources who previously spoke to The Times and requested anonymity because they were not authorized to discuss the ongoing investigation. Last week, a top police official assured the department’s civilian leaders, the Police Commission, that none of the department’s systems had been compromised.
Jurado said she wants answers about why and how the city managed to leave sensitive documents exposed, such as medical reports, autopsy photos and witness names.
“It’s just horrible to think that this existed,” Jurado said.
The city attorney’s office responded to the Times’ questions by referencing a public report released April 17, which said a preliminary investigation indicated that “the incident was confined to this third-party environment and that no other city department applications, systems or records were accessed or affected.”
The report states that hackers extracted “small samples” of data from its dark website for a week starting March 20, before publishing the whole thing on March 27. The data was deleted after about eight hours, then reappeared twice in early April, the report said.
In a separate letter to the police union, the office said it would begin notifying people whose information was compromised “without unreasonable delay.”
The inventory reviewed by the Times shows the personnel files of LAPD officers who were accused of using excessive force against a Black military veteran during a traffic stop in 2021. Another file included the identities of witnesses who saw a man die after LAPD officers knelt on him during an arrest, records reviewed by the Times showed.
Thousands of hours of uncut body camera footage were released. There were also medical records relating to thousands of cases in which police officers and other city employees had been accused of misconduct. At least 1,060 of those files are labeled confidential, the inventory shows.
The city attorney’s office said it alerted top LAPD officials and the city’s IT department as soon as they discovered the leak, and has since been in regular contact with other city departments to assess the extent of the leak. The FBI began investigating the case.
This situation has already cost re-election candidate Feldstein Soto the support of the LAPD’s powerful rank-and-file officers’ union, which withdrew its support after accusing the city attorney of failing to disclose the full extent of the violation.
The leak follows Feldstein Soto’s efforts to weaken the state’s public records law after the release of numerous police photos and other documents, which she demanded be returned.
Several lawyers whose cases were on the compromised list told the Times they had not yet heard from city officials. Some said they could foresee that the leaked documents would be used as justification to reopen old cases – or initiate new ones.
“I’m curious as to what exactly the city attorney’s office had that they may not have disclosed to us during discovery,” Arnoldo Casillas, attorney for the family of Eric Rivera, a 20-year-old man whose family sued after he was killed by police in Wilmington in 2017 and whose records are among those included in the leak, according to the inventory reviewed by the Times.
The case was later dismissed, but the family appealed.
Other attorneys whose lawsuits against the city and the LAPD were among the hacked documents said they wanted to know exactly what was included in the records.
Robert Glassman, who filed an $18 million lawsuit last year on behalf of two elderly brothers who were seriously injured when an LAPD cruiser rear-ended their vehicle, said he also has not heard from the city attorney’s office.
“You would think they would notify (affected parties) and tell them they are working to get their information back,” he said.
Experts said similar cyberattacks on government offices across the country have shown that it can sometimes take months or even years for the dust to completely settle and the full extent of the damage to become apparent.
James E. Lee, president of the Identity Theft Resource Center, a nonprofit organization that provides advice and assistance on identity theft, said that last year alone the center saw a record 3,322 hacks.
This is almost certainly an undercount, given how many cases go undetected or unreported, Lee said. Of the incidents recorded, about 165 targeted government agencies, compared to 47 in 2020, he said.
In the past, according to Lee, many attacks on government entities were carried out by state-sponsored actors, but the emergence of AI-based hacking tools has made it possible for ordinary people to carry out such incursions.
“They want data that they can reuse: anything that has financial information, anything that has driver’s license information is going to be very valuable to them,” he said.
Matthew McNicholas, an attorney who has represented many police officers in their lawsuits against the city, said he has fielded many calls from clients concerned about the disclosure of their medical and personnel records.
The disclosed documents, according to the inventory, include a case in which McNicholas sued the city on behalf of a victim who said she was sexually assaulted as a minor by an employee of a city-run recreation center.
McNicholas said he feared the leak would reveal the private information of police whistleblowers who have come forward to reveal discrimination and other misconduct.
The Associated Press contributed to this report.
