In the aftermath of a recent data breach that saw hackers make off with a vast trove of confidential police records, Los Angeles leaders have sought an explanation from the city’s top lawyer, whose office was targeted.
What they have gotten so far, according to Councilmember Ysabel Jurado, are answers that only leave more questions.
In an interview, Jurado said she had expected City Atty. Hydee Feldstein Soto to appear before the Government Operations committee this week, but instead had received an internal report offering a “high level view” of the breach that left many key details unaddressed.
“When did the city attorney’s office become aware, what actions were taken, and why were city officials not notified promptly?” Jurado said. “Right now, we’re still left to question and trying to assemble the information.”
The Times reported the existence of the hack last week, prompting further scrutiny by public officials — some of whom, like Jurado, said they hadn’t previously been informed. Since then, The Times has reviewed an inventory of 337,000 files that were compromised.
The documents amount to millions of pages, and appear to mostly come from civil lawsuits against the city that have been resolved in court. They range in nature from trip-and-fall cases to police excessive force.
During a brief discussion at the council committee Tuesday morning, Jurado said she had received information that an internal link used by the city attorney’s office to access the files had been clicked at least 5,000 times on the first day of the breach, which is thought to have occurred sometime in March.
The files were not secured by a password, according to sources who spoke previously with The Times and requested anonymity because they were not authorized to discuss the ongoing investigation. A senior police official last week assured the department’s civilian bosses, the Police Commission, that none of the department’s own systems had been compromised.
Jurado said she wanted answers for why and how the city had managed to leave exposed sensitive records, such as medical reports, autopsy photos and witness names.
“It’s just horrific to think that that was out there,” Jurado said.
The city attorney’s office responded to questions from The Times by referring to a public report issued April 17, which said a preliminary investigation indicated that “the incident was contained to that third-party environment, and that no other City applications, systems, or department records were accessed or affected.”
The report noted that the hackers teased “small samples” of the data on its dark web site over a week starting March 20, before publishing the whole thing on March 27. The data were taken down after about eight hours, and then reappeared again twice in early April, the report said.
In a separate letter to the police union, the office said it would begin notifying people whose information was compromised “without unreasonable delay.”
The inventory reviewed by The Times shows personnel files for LAPD officers who were accused of using excessive force against a Black military veteran during a traffic stop in 2021. Another file included the identities of witnesses who saw a man die after LAPD officers knelt on him during an arrest, the records reviewed by The Times showed.
Thousands of hours of uncut body camera footage were released. There were also medical records from thousands of cases in which police and other city employees were accused of misconduct. At least 1,060 of the files are labeled as confidential, the inventory says.
The city attorney’s office has said that it alerted senior LAPD officials and the city’s IT department as soon as they discovered the leak, and has in the weeks since been in regular contact with other city departments to assess the scope of the leak. The FBI has begun investigating the matter.
The situation has already cost Feldstein Soto, who is up for reelection, the endorsement of the powerful union for the LAPD’s rank-and-file officers, which withdrew its support after accusing the city attorney of failing to disclose the full extent of the breach.
The leak follows Feldstein Soto’s efforts to weaken the state’s public records law after the release of many police officer photos and other materials, which she demanded be returned.
Several attorneys whose cases were included in the list of compromised files told The Times they have not yet heard from city officials. Some said they could foresee the records leaked being used as justification to reopen old cases — or initiate new ones.
“I’m curious to know what exactly it is that the city attorney’s office had that they may not have disclosed to us in discovery,” Arnoldo Casillas, an attorney for the family of Eric Rivera, a 20-year-old man whose family sued after he was killed by police in Wilmington in 2017 and whose files are among those included in the leak, according to the inventory reviewed by The Times.
The case was later dismissed, but the family has filed an appeal.
Other attorneys whose lawsuits against the city and LAPD were listed among the hacked materials said they wanted to know exactly what was included in the files.
Robert Glassman, who successfully sued for $18 million last year on behalf of two elderly brothers who were badly injured when a speeding LAPD squad car broadsided their vehicle, said he also hadn’t heard from the city attorney’s office.
“You’d think that they would notify [the affected parties] and tell them that they’re working to get their information back,” he said.
Experts said similar cyberattacks on government offices across the country have shown it can take months or years for the dust to fully settle and the full scope of the damage to emerge.
James E. Lee, president of the Identity Theft Resource Center, a nonprofit organization that provides advice and assistance related to identity theft, said last year alone the center documented an all-time high of 3,322 hacks.
That’s almost certainly an undercount, given the number of cases that go undetected or unreported, Lee said. Of the recorded incidents, roughly 165 targeted government agencies — up from 47 in 2020, he said.
In the past, according to Lee, many attacks of government entities were carried out by state-sponsored actors, but the emergence of AI-powered hacking tools have allowed everyday people to carry off such incursions.
“They want data that they can repurpose: anything that’s going to have financial information, anything that’s going to have driver’s license information is going to be very valuable to them,” he said.
Matthew McNicholas, a lawyer who has represented many officers in their lawsuits against the city, said he has fielded numerous calls from clients worried their personnel and medical records were exposed.
The leaked records, the inventory shows, include a case in which McNicholas sued the city on behalf of a victim who said they’d been sexually molested as a minor by an employee at a city-run recreational center.
McNicholas said he is worried that the leak will expose the private information of police whistleblowers who came forward to reveal discrimination and other misconduct.
The Associated Press contributed to this report.
