After extending a deadline for weeks in an attempt to extract a ransom, hackers have posted a trove of data seized late last year from the Housing Authority of the City of Los Angeles.
A notice posted on the dark web site LockBit late Thursday said all available data had been uploaded.
It was not immediately clear whether personally identifiable information like addresses or phone numbers was included in the documents. By Friday afternoon, the site had gone down, as Lockbit’s dark web sites often do.
HACLA, one of the nation’s largest public housing authorities, provides affordable housing to more than 83,000 households in its Public Housing and Section 8 rental assistance programs, and offers a range of permanent supportive housing programs for homeless households.
Brett Callow, a threat analyst for the New Zealand-based cybersecurity firm Emsisoft, said the hackers posted the data in two tranches, the first on March 9. A banner announcing, ‘ALL FILES UPLOADED” was then posted at 9:08 p.m. Thursday local time.
Callow, who alerted The Times to the posting, said he had not accessed the data because he had “no reason to further invade folks’ privacy.”
But he said the hackers posted an 88-megabyte text document with an index of all the files they claimed to have posted.
Individuals who deploy the LockBit malware first published screenshots on Dec. 31 representing what they claimed were 15 terabytes of data they had seized and giving the housing agency until Jan. 12 to pay a ransom.
In its initial ransom demand, the group published what appeared to be a bank statement and a list of folders. The folder names suggested a broad range of data ranging from sensitive to mundane — from payroll, audits and taxes to a 2021 holiday video.
The size of the data set and the structure of the folders suggested that the attack targeted a shared file storage system and not a single machine.
The housing agency had not responded Friday afternoon to The Times’ questions about whether a ransom was paid and about what steps it had taken to notify and protect those whose information may have been exposed.
Possible illegal uses of any personal data would be identity fraud or the public disclosure of documents relating to disciplinary proceedings and alleged harassment, Callow said.
“That can obviously be very uncomfortable for the individuals involved and could even be used for blackmail,” he said.
LockBit was described as “one of the most active and destructive ransomware variants in the world” in a 2022 criminal complaint filed by the Department of Justice against an alleged participant.
The complaint claimed that members of LockBit had made more than $100 million in ransom demands since January 2020, successfully extracting “tens of millions” from victims.
The attack cut staff and students off from email and knocked out systems that teachers use to post lessons and take attendance.