Robert Contee wrote in an email to staff, “I can confirm that HR-related files with Personally Identifiable Information (PII) were obtained. As we continue to determine the size and scope of this breach, please note that the mechanism that allowed the unauthorized access was blocked.”
The police department is “working to identify all impacted personnel,” Contee wrote, acknowledging that the incident is “extremely stressful and concerning to our members.”
The attackers had posted a ransom note claiming they had stolen more than 250 GB of data and threatening to publish the material if they were not paid. The ransomware group Babuk claimed credit for the attack, posting screenshots of the note that were flagged by cybersecurity researchers.
“We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter,” the Metropolitan Police said in a statement to CNN on Monday evening.
In its claims, the Babuk group suggested it had obtained information on Metropolitan Police informants and threatened to weaponize that information if the department did not respond within three days. The group also vowed additional attacks targeting the FBI.
The Babuk strain of ransomware was first discovered earlier this year, according to a February threat analysis paper published by the security firm McAfee.
Little is known about the group behind the malicious software, but it appears to fit the mold of other ransomware attackers in that it primarily targets large, well-funded organizations, the paper said.
Since January, 26 government agencies based within the United States have been hit by ransomware, Neal Dennis, a threat intelligence specialist at the cybersecurity firm Cyware, said. More than a dozen have involved cases of data theft and threatened extortion.