In the aftermath of a disclosure that sensitive Azusa Police Department records had been hacked by criminals, city officials now acknowledge they experienced another costly ransomware attack that they hid from the public for nearly two years.

In the fall of 2018, the city, through its cybersecurity insurance carrier, paid $65,000 ransom to an unknown hacker organization to regain control of 10 data servers at the Police Department, Azusa City Manager Sergio Gonzalez said Thursday.

“We were able to unlock one server after the ransom was paid but immediately after found a free key to unlock all other locked servers,” Gonzalez said in an email. “No information was compromised. Our servers were just locked. We verified with forensic experts that no data was compromised. That’s essentially why we did not and were not required to report it (publicly).”

The 2018 breach apparently was caused by a virus unleashed after a city employee opened an email or link.

Forensic experts cleaned, wiped and restored the servers before putting them back online. Additionally, city employees received computer security training and updates to software and virus protections were provided.

History of hacks

However, those precautions didn’t prevent the most recent cyber attack at the Police Department, which was discovered March 9 and reported publicly May 27.

That attack was perpetrated by DoppelPaymer, a notorious and shadowy ransomware gang known for extorting victims and then posting their sensitive information on the dark web if the ransom isn’t paid. It is among several rogue hacker groups that have been blamed for recent attacks crippling industries in the U.S. and abroad, including Georgia-based Colonial Pipeline and JBS S.A., the largest meat producer in the world.

DoppelPaymer demanded 10.33 bitcoin, and then raised the ransom to 15.5 bitcoin, which at the time was about $800,000, Gonzalez said.

“In consultation with incident response partners, including federal law enforcement, the department ultimately declined to participate in any ransom payment,” said Gonzalez, adding he could not disclose the type of information that was compromised due to an ongoing criminal investigation.

Police reports on dark web

After the ransom deadline passed without payment, DoppelPaymer posted to its website hacked Azusa police evidence reports, jail records, payroll information and other data. As of Friday, the index page for the leaked information had 11,835 views.

The compromised records also may have included Social Security, driver’s license, California identification card, passport and military identification numbers. Financial, medical and health insurance information, along with data collected through an automated license plate recognition system, also might have been exposed, police said.

Gonzalez said the latest hack is troubling.

“These types of attacks are becoming more and more common and, to a certain extent, much more sophisticated,” he said. “We are again working to ensure we have the best cyber defense. We have also brought in additional resources by contracting with cybersecurity experts to rebuild our entire system from top to bottom, including upgraded servers, software and anti-virus programs and a more robust backup system.”

Azusa police have established a dedicated assistance line to address any questions individuals might have and to provide credit monitoring services to potentially affected individuals. The assistance line can be reached at 855-535-1860 from 6 a.m. to 6 p.m. Monday through Friday.