Police union pulls support for city attorney after leak of thousands of LAPD files
The disciplinary files of Los Angeles police officers are closely guarded secrets, protected by some of the nation’s strictest confidentiality laws.
But now, many of those secret files have been splashed across the internet, along with tens of thousands of other sensitive records from the L.A. city attorney’s office.
The extent of the data breach is still unclear, and city officials have said they are investigating to find out what was taken, who was responsible and how the city’s cybersecurity was compromised.
The fallout has been swift since The Times first reported the breach earlier this week.
On Friday, the union for rank-and-file LAPD officers announced it had withdrawn its endorsement for Hydee Feldstein Soto as she campaigns for reelection as city attorney. On the same day, city leaders also said they planned to summon Feldstein Soto to testify about when she first became aware of the leak.
A spokesperson for the city attorney’s office said in a statement Friday afternoon that Feldstein Soto had “submitted her confidential report to Council this morning,” adding that she “looks forward to discussing this cyber intrusion” further with council members next week.
The statement said the office had been “the victim of illegal third party criminal conduct.”
“The illegal cyber intrusion appeared and still appears to be limited to one external software program,”
A ransomware hacking collective called WorldLeaks, which has gained a reputation for extorting private and public entities by threatening to disclose confidential files on the internet, has claimed responsibility.
The group first announced the breach on March 20. City and LAPD officials did not comment on whether the hackers requested a ransom in return for not releasing the information — or whether the city paid one. Some reports suggest that the group was behind a hack of L.A. Metro last month that forced it to shut down part of its transit network.
The Times spoke with several sources familiar with the investigation into the data breach who requested anonymity because they were not authorized to discuss the case publicly, and reviewed a partial inventory of the leaked files, including screenshots of some materials.
Here’s what we know so far.
How did hackers get the LAPD files?
The hacking group appears to have exploited vulnerabilities in a system used by the Los Angeles city attorney’s office, enabling the group to make off with nearly 340,000 files, according to the sources familiar with the case.
In the wake of the George Floyd protests, the sources said, the city was flooded with dozens of lawsuits from protesters who had been injured by LAPD officers. To handle the deluge of new cases, the city created a file-sharing system so that attorneys on both sides could access discovery materials, including some considered private under court orders.
It was akin to Dropbox or Google Drive, the sources said, and access was supposed to be restricted to just authorized users.
But the system, according to two sources familiar with the investigation, was not password-protected because city officials believed that it needed to be accessible to other parties, including outside attorneys hired to assist with civil litigation.
The sources said the system expanded far beyond its initial scope and came to include records from hundreds of lawsuits involving the LAPD.
The city attorney’s office said Friday that the hack affected a “document sharing platform.”
“We immediately notified LAPD command and City ITA staff, and have been in almost daily contact with City departments and officials as we work through this process,” the statement said.
What are the consequences of the massive leak?
The data breach could have political ramifications for the embattled Feldstein Soto.
Last week, she earned the endorsement of the powerful Los Angeles Police Protective League, which represents most LAPD officers below the rank of captain. But in a letter to the city attorney on Friday, union officials said they had withdrawn support because she was “repeatedly not forthcoming” about “the devastating data breach of sensitive LAPD files” from her office.
“You never informed us of this breach, we learned about it by reading the newspaper and that is not how our union and our members will be treated,” read the letter, signed by the league’s president, Ricky Mendoza.
Union officials contend Feldstein Soto kept them in the dark when she met with them on March 25 to seek their endorsement. That she “willfully failed to disclose this breach … is unforgiveable,” the statement said.
League officials demanded that she scrub any mention of the union from her campaign page and that she does “not use our revoked endorsement in any voter communication.”
The City Council has also pushed Feldstein Soto about when she first became aware of the breach.
City Councilmember Ysabel Jurado drafted a motion Friday, which she said would be introduced next week, that would order the city attorney’s office and the Los Angeles Information Technology Agency to report back on “the breach timeline, scope, notification obligations, vendor oversight, vulnerabilities, and corrective actions.”
“The most alarming part of this is not just the breach itself, but the possibility that City leaders knew and failed to provide timely transparency to the Council and the public,” Jurado said in a statement.
The city attorney’s office said Friday that LAPD command staff and other relevant parties were “immediately notified” once the hack became known.
“The City Attorney understands and shares the frustration of our public safety officials and union and reaffirms her unwavering commitment to public safety and to the hard working men and women of the Los Angeles Police Department who serve and protect our City every day,” said the statement from Feldstein Soto’s office.
Feldstein Soto’s two challengers in the June 2 city primary election seized on the breach as proof that the city attorney was unfit for the job.
“By keeping the public in the dark, witnesses and Los Angeles Police Department families may have been put at risk” said John McKinney, who currently leads the major crimes bureau at the L.A. County district attorney’s office.
Marissa Roy, the deputy state attorney general and the most well-funded of three challengers, accused Feldstein Soto of disregarding concerns about data privacy raised by people within her office.
“When a sensitive breach like this occurs, the response should be urgency, transparency, and proactive communication, not concealment,” she said in a statement.
Lawyers for police officers reported numerous calls from clients worried their personnel and medical records were exposed, raising the prospect of more costly litigation. About 900 officers are currently suing the department over the 2023 release of mugshot-style images and other materials in response to a public records request.
Feldstein Soto was among those who has lobbied California lawmakers to weaken the state’s public records law, proposing a change that would allow government agencies to decline future public records requests that seek “images or data that may personally identify” employees.
How much information was snatched and what’s in it?
In all, according to posts about the data breach, 7.7 terabytes of information was available for download.
The LAPD statement described the files in the recent hack as coming from closed cases, but at least one of the files reviewed by The Times involved a lawsuit over an alleged sexual assault by a police officer that was set for trial next week.
Also disclosed were personnel files from dozens of current and former officers. Every officer’s personnel records are contained within a system called TEAMS II.
It is a detailed history that includes records on arrests they have made, training sessions they have attended, citizen complaints received against them and lawsuits they have been involved in, along with any history of traffic collisions, shootings or other uses of force, commendations, assignments, workers’ compensation claims and more.
Such records can be turned over as discovery in civil cases, but almost always under a protective order that restricts them from being shared publicly.
An unknown number of internet users have downloaded the terabytes of data in the weeks since its release. What surfaces next remains to be seen.
