Criminal hackers have leaked a massive trove of sensitive files from the police department of a San Francisco Bay Area transit system, including specific allegations of child abuse.
The Bay Area Rapid Transit System (BART) Police Department is responsible for the breach. Alicia Trost, BART’s chief communications officer, said in an email that officials were investigating the posted files and that the hackers had not disrupted BART services. The date of the hack is unknown.
The perpetrators are a well-known group of ransomware hackers, one of many who target specific organisations and encrypt sensitive files or threaten to post them on the dark web. According to an NBC News review, the website where the BART Police leaks were posted contains over 120,000 files.
Among the files are at least six scanned, unredacted reports detailing suspected child abuse. These reports include the names and birthdates of vulnerable children, as well as descriptions of an adult and the alleged abuse.
Ransomware hackers frequently demand payment in order to prevent file sharing. Trost declined to provide further details, but the fact that the files are now available online indicates that BART refused to pay, according to Brett Callow, an analyst at the cybersecurity firm Emsisoft.
There are also mental health record forms on the website, which an officer can use to recommend someone for mental health evaluation. Other files contain the names and driver’s licence numbers of contractors who worked on BART projects, police reports naming suspects in various crimes, and hiring documents for prospective officers.
Though such sensitive police files are still rare, cyber extortion attacks on US public sector organisations, including police departments, have become more common.
According to an Emsisoft survey, ransomware hackers successfully attacked more than 100 networks associated with local government agencies last year. The Treasury Department estimates that ransomware attacks cost US businesses $886 million in 2021, the most recent year for which data is available.
“Unfortunately, there hasn’t been enough progress in securing public sector organisations,” Callow said. “They can jeopardise investigations, resulting in extremely sensitive information leaking online, and even endanger people’s lives — both officers’ and the general public’s.”
When a different hacker gang refused to pay, it breached the Metropolitan Police Department in Washington, D.C., and leaked sensitive profiles of 22 officers.
Such hackers are also known to target school districts. Des Moines Public Schools cancelled classes on Tuesday due to a “cyber security incident,” which is a term commonly used to describe a ransomware attack. According to Emsisoft, nearly 2,000 schools in the United States will be affected by ransomware in 2022.
