Following the recent data breach in which hackers stole a massive trove of confidential police records, L.A. leaders have demanded an explanation from the city’s top lawyer, whose office was targeted.
According to council member Ysabel Jurado, what they’ve received so far are answers that only leave more questions.
In an interview, Jurado said he had expected City Attorney Heidi Feldstein Soto to appear before the Government Operations Committee this week, but instead he received an internal report offering a “high-level view” of the breach that did not include many important details.
“When did the city attorney’s office find out, what action was taken, and why were city officials not immediately notified?” Jurado said. “At this point, we’re still asking questions and trying to gather information.”
The Times reported the existence of the hack last week, prompting public officials to investigate further — some of whom, like Jurado, said they were not informed earlier. Since then, the newspaper has reviewed a list of 337,000 files that were compromised.
The documents run into millions of pages, and most of them appear to come from civil lawsuits against the city that have been settled in court. These range in nature from cases of trips and falls to excessive use of force by police.
During a brief discussion in council committee Tuesday morning, Jurado said he received information that an internal link used by the City Attorney’s Office to access the files was clicked at least 5,000 times on the first day of the breach, which is believed to have occurred sometime in March.
According to the sources, who previously spoke to The Times and requested to remain anonymous, the files were not password protected because they were not authorized to discuss the ongoing investigation. A senior police officer last week assured the police commission, the department’s civilian bosses, that none of the department’s own systems had been compromised.
Jurado said she wants answers as to why and how the city managed to leave behind sensitive records such as medical reports, autopsy photos and names of witnesses.
“It’s horrifying to think that he was there,” Jurado said.
The city attorney’s office responded to questions from The Times, saying public report released on April 17, stating that the initial investigation indicated that “the incident was contained within that third-party environment, and no other city applications, systems or department records were accessed or affected.”
The report said the hackers teased “small samples” of data on their dark web site over a week starting on March 20, before publishing the whole thing on March 27. The data was deleted after about eight hours, and then re-displayed twice in early April, the report said.
In a separate letter to the police union, the office said it would “without undue delay” begin notifying people whose information was compromised.
The list reviewed by The Times shows personnel files for LAPD officers who were accused of using excessive force against a Black military veteran during a traffic stop in 2021. Another file included the identities of witnesses who saw a man die after being kneed by LAPD officers during an arrest, records reviewed by The Times showed.
Thousands of hours of uncut body camera footage were released. There were also medical records from thousands of cases in which police and other city employees were accused of misconduct. The list said at least 1,060 files have been classified.
The city attorney’s office said that as soon as they learned of the leak, they alerted senior LAPD officials and the city’s IT department, and have since been in regular contact with other city departments to assess the scope of the leak. FBI has started investigating the matter.
The situation has already cost Feldstein Soto, who is up for re-election, the endorsement of the powerful union for rank-and-file LAPD officers, which withdrew its endorsement after accusing the city attorney of failing to disclose the full extent of the violations.
The leak follows Feldstein Soto’s efforts to weaken the state’s public records law following the release of several police officers’ photographs and other materials, which he demanded be turned over.
Several lawyers whose cases were included in the list of compromised files told The Times they have yet to hear from city officials. Some said they speculated that the leaked records could be used as justification for reopening old cases or starting new ones.
“I’m curious to know what exactly the city attorney’s office has that they may not have told us,” said Arnaldo Casillas, an attorney for the family of 20-year-old man Eric Rivera, according to the inventory reviewed by The Times.
The case was later dismissed, but the family has filed an appeal.
Other lawyers whose lawsuits against the city and LAPD were listed in the hacked materials said they wanted to know what exactly was included in the files.
Robert Glassman, who last year successfully filed an $18 million lawsuit on behalf of two elderly brothers who were fatally injured when their vehicle was struck by a speeding LAPD squad car, said he also has heard nothing from the city attorney’s office.
“You would think that they would notify (affected parties) and let them know that they are working to get their information back,” he said.
Experts said similar cyberattacks on government offices across the country showed that it could take months or years for the dust to fully settle and the full scope of the damage to be revealed.
James E. Lee, president of the Identity Theft Resource Center, a nonprofit organization that provides advice and assistance related to identity theft, said that last year alone the center documented an all-time high of 3,322 hacks.
This is almost certainly an undercount, Lee said, given the number of cases that go undetected or unreported. Of the incidents recorded, about 165 targeted government agencies, he said – up from 47 in 2020.
According to Lee, in the past, many attacks on government entities were carried out by state-sponsored actors, but the emergence of AI-powered hacking tools has allowed everyday people to carry out such intrusions.
“They want data they can reuse: anything that has financial information, anything that has driver’s license information, that’s going to be very valuable to them,” he said.
Matthew McNicholas, an attorney who has represented several officers in their lawsuits against the city, said he has fielded numerous calls from clients worried about their personnel and medical records being exposed.
The inventory shows that the leaked records include a case in which McNicholas sued the city on behalf of a victim who said she was sexually assaulted as a minor by an employee of a city-run recreation center.
McNicholas said he was concerned that the leak would expose the personal information of police whistleblowers who came forward to expose discrimination and other misconduct.
The Associated Press contributed to this report.
