Hackers who apparently infiltrated the D.C. police department’s computer network briefly posted personnel files of at least five current and former officers, a gambit one security expert says was to prove the group’s threats are real.
The hacking group — called Babuk — had warned police in a statement to “get in touch as soon as possible and pay us, otherwise we will publish the data.” D.C. officials have not commented on whether they are in communication with the group.
NBC News contacted one of the former officers identified in the leak and reported that the person confirmed the information was correct. The officer was not identified.
One of the records reviewed by The Washington Post is marked “background investigation document” and “confidential.”
The 576-page file contains information collected when an officer was going through a background check to be hired in 2017. It includes the officer’s financial and bank information, a photocopy of the officer’s driver’s license, social media posts, a private cell number, answers to questions about past marijuana use and medical records.
The officer, whom The Post is not identifying, could not be reached on Thursday. His name and other information matches a person in District payroll records. A D.C. official said the file appears legitimate.
Callow said the hacking group took down the documents later on Wednesday. But sometime Thursday, the group posted another warning on its dark Web site, saying only that the police “now determine whether the leak will be or not.” That threat was later taken down as well.
D.C. police said this week that they were “aware of unauthorized access on our server” and were working to “determine the full impact.” The FBI was brought in to help investigate. In addition to the personnel information, Babuk has threatened to expose confidential informants and files with titles such as “known shooters,” “most violent person,” “RAP feuds,” “gang conflict report” and “strategic crime briefings.”
On Wednesday night, acting D.C. police chief Robert J. Contee III emailed more than 3,600 members of the department confirming that the hacking group had obtained human resource files containing officers’ personal identification.
“As we continue to determine the size and scope of this breach, please note that the mechanism that allowed the unauthorized access was blocked,” Contee said in the email, which police provided to The Post. “We are working to identify all impacted personnel, who will be contacted directly with additional guidance. I recognize this is extremely stressful and concerning to our members.”
The email instructs officers how to obtain free copies of their credit reports. The officers can also put “fraud alerts” on their credit reports, requiring people accessing the information to obtain additional permissions.
Adam Scott Wandt, an assistant professor of public policy in the cybersecurity program at John Jay College of Criminal Justice, described the police breach as serious.
“The amount of damage that can be caused is absolutely incredible,” Wandt said. “It could interfere with ongoing investigations. Imagine Googling your name and seeing a data dump and learning you’re under investigation for fraud or for drug dealing.”
He said the data leak could also expose informants, putting their lives at risk. “This criminal group is making an extremely dangerous and potent threat,” Wandt said.
Wandt said investigators must determine how the group gained access to the system and whether somebody on the inside provided them help, even if unwittingly. Then, he said, police must block the group’s access to stop further damage.
Callow said the D.C. police department “has no good options. If they don’t pay, the data will be released. If they do pay, they’ll simply have to trust that the criminals will delete the stolen info. But why would they?”
He said Babuk has threatened to publicize its source code, allowing other groups to use their ransomware. D.C. police are among the latest victims of hacking, which in the past several years has targeted government agencies, businesses, universities and hospitals.
Emsisoft issued a report saying 2,354 agencies and companies were targeted in ransomware attacks last year. That included 113 municipal, state and federal agencies, 560 health-care facilities and 1,681 learning institutions.
Often the groups gain access to private networks, shut systems down and demand payment to restore services. Baltimore was struck by such an attack in 2019, crippling the city’s ability to process payments and online real estate transactions. The Baltimore Sun estimated the attack cost the city about $18 million in lost revenue and money spent to restore the systems and improve security.
Cybersecurity experts say D.C. police are being hit with a new kind of extortion scheme in which data is stolen and payments are demanded to not publish. Babuk made the first threat to D.C. police on Monday in posting images of screenshots of files the group purported to have stolen. The group threatens to have 250 GB of data, enough to hold 70,000 photos or tens of thousands of pages.
At the time, authorities said it was unclear if the group had been able to access those files.
Callow said it appears based on Wednesday’s postings of actual personnel files that the group does possess raw information.
Dalton Bennett contributed to this report.