The police department in Azusa, California, has gone public about a ransomware attack, 12 weeks after becoming aware of the incident.

Potentially compromised information includes social security, drivers’ licence, ID card, passport and military identification numbers, financial account data, medical and health insurance information, as well as data collected through an automated licence plate recognition system.

“Although the police department has no evidence of actual or attempted misuse of information, it is providing notice to the public in an abundance of caution,” said the force, which serves a 48,000-population city around 30km east of central Los Angeles.

The incident dates back to 9 March when parts of the department’s computer systems became inaccessible. Officers contacted law enforcement partners and began working with third-party specialists to determine the cause and extent of systems affected.

On 20 May it was established the hacker may have obtained social security numbers and other private information.

The department said: “The investigation determined that Azusa Police was the victim of a sophisticated ransomware attack and that certain systems and information were accessed by an unauthorised individual.

“Azusa Police refused to cooperate with the cyber criminal and did not pay any ransom …

“Azusa Police continues to review its network security polices and take additional steps to further enhance its security, as it takes the privacy and security of all information very seriously.”

The department also established a dedicated assistance line to help concerned individuals and to provide credit monitoring services to potentially impacted people.

The Los Angeles Times reported the cyber-attacker posted seven gigabytes of Azusa records on a DoppelPaymer site on the dark web, where they remain accessible. The index page of the police data has been visited more than 11,000 times since late April.

“There are surveillance videos and gang activity reports and incredibly secret stuff,” the newspaper quoted maths professor Adrian Riskin as saying.

The data includes officers’ payroll files and a spreadsheet which appears to identify Azusa gang members along with their nicknames, mobile phone numbers and home addresses; crime scene and booking photos; investigative reports referencing confidential informants; and an audio interview with what appears to be a cooperating witness, according to Riskin.

Azusa Police captain Christopher Grant denied suggestions the department was trying to hide or downplay the cyber-attack.

An ongoing criminal probe has limited how much the department can say publicly and investigators are still trying to determine everything that was stolen, he said.

Mayor Robert Gonzales said the council’s insurance company has made it clear the city was on its own financially. “They have said this is one of the things they won’t pay for – ransom,” he added.

PrivSec Global

Register to PrivSec Global and hear industry leaders discuss managing cybersecurity and digital transformation projects at 23 June at 10am BST.

Speakers include:

  • Stéphane Chmielewski, CISO, Finologee