Criminal hackers have posted an enormous trove of sensitive files to the internet from a San Francisco Bay Area transit system’s police department, including specific allegations of child abuse.
The breach comes from the Bay Area Rapid Transit System (BART) Police Department. BART’s chief communications officer, Alicia Trost, said in an email officials were investigating the posted files and that the hackers had not impacted BART services. It’s unclear when the hack occurred.
The perpetrators are an established group of ransomware hackers, one of the many who attack specific organizations and either encrypt sensitive files or threaten to post them on the dark web. The website the BART Police leaks were posted includes more than 120,000 files, according to an NBC News review.
At least six scanned, unredacted reports detailing suspected child abuse are among the files. Those reports state the name and birthdates of endangered children, and in some cases give descriptions of an adult and the alleged abuse.
Ransomware hackers often demand a payment to not share files. Trost declined to share additional information, but the fact that the files are now online indicates that BART refused to pay, said Brett Callow, an analyst at the cybersecurity firm Emsisoft.
The website also has mental health record forms, in which an officer can recommend someone for mental health evaluation. Other files include the names and driver’s license numbers of contractors who have worked on BART projects, police reports that name suspects for various crimes, and hiring documents for prospective officers.
Though it’s still rare for such sensitive police files to be leaked, cyber extortion attacks on U.S. public sector organizations, including police departments, have become increasingly common.
More than 100 networks associated with local government agencies were successfully attacked by ransomware hackers last year, according to an Emsisoft survey. The Treasury Department has estimated that ransomware attacks cost U.S. organizations $886 million in 2021, the most recent year for which it has published data.
“Unfortunately, not enough progress has been made in securing public sector organizations,” Callow said. “They can compromise investigations, resulting in exceptionally sensitive information leaking online, and even put people’s lives at risk — both officers and the public’s.”
In 2021, a different hacker gang breached the Washington, D.C., Metropolitan Police Department and leaked sensitive profiles of 22 officers when the it refused to pay.
It’s also common for such hackers to attack school districts. Des Moines Public Schools closed classes Tuesday due to a “cyber security incident,” a term often used to describe a ransomware attack. Almost 2,000 U.S. schools were impacted by ransomware in 2022, Emsisoft found.