Councilwoman Ysabel Jurado called on City Attorney Hydee Feldstein Soto Tuesday to appear before the council and detail events that led to a data breach of sensitive police records.
Jurado introduced a motion Tuesday demanding the City Attorney’s Office provide a public report of all non-privileged facts about the data breach. The unauthorized breach of the City Attorney’s Office’s third-party system occurred March 20, but was disclosed weeks later.
City attorneys used the digital program to transfer discovery to opposing counsel and litigants.
“My motion is about transparency, accountability, and protecting the city. We need to understand what information was exposed, who may be affected, whether proper notifications are being made, and what liability this creates for Los Angeles. This appears to be a serious governance failure, and the public deserves answers,” Jurado said.
Preliminary information suggests that a large number of records may have been accessed, including materials that could contain sensitive personnel information and legal case materials, according to Jurado’s office.
The potential release of the files raises concerns about the privacy and safety of city employees, witnesses, and others who may have provided information with an expectation of confidentiality, Jurado added.
According to her motion, there are concerns the data breach could impact ongoing legal matters and expose the city to significant legal and financial liability. The motion also calls for a confidential legal briefing, where appropriate, to address privileged matters.
If approved, the motion would also direct the city’s Information Technology Agency to report on how the system was compromised, what vulnerability or vendor issues contributed to the breach, and what corrective actions will be taken to strengthen security and prevent future hacks.
A representative for Feldstein Soto did not immediately respond to a request for comment.
Last week, the City Attorney’s Office confirmed there was a data breach involving Los Angeles Police Department records.
“After learning of the incident, our office took immediate steps to secure the tool and investigate what information was accessed. We reported the incident to law enforcement and engaged external support, including outside counsel and external forensic support. Our office has been working with city departments, including the city’s Information Technology Agency to review the data involved in the incident,” Ivor Pine, deputy director of communications for Feldstein Soto, said in a previous statement.
The City Attorney’s Office said no other city applications or systems were impacted by the breach.
“The information was self-contained in this application without any links or access to any department records or systems. Our investigation is continuing to determine what information was present in the tool and we will take appropriate action to notify any affected parties based on the results of this review,” Pine said in his statement.
Feldstein Soto, who is seeking a second term, faced backlash for the data breach. The Los Angeles Police Protective League, which represents LAPD’s rank-and-file, rescinded its endorsement of her campaign.
Aida Ashouri, a human rights attorney, John McKinney, a deputy district attorney, and Marissa Roy, a deputy attorney general, are challenging Feldstein Soto to be the city’s top prosecutor and legal adviser. They each criticized Feldstein Soto, and called for transparency and accountability.
The Los Angeles Times previously reported — citing two sources familiar with the investigation — that the third-party system was not password-protected. Some of the records showed up online.
One of the first accounts to post a file from the hack was @WhosThatCop. The account posts about police accountability. The account’s administrator had said a security researcher first disclosed the breach. The files were taken down, however, some of the data has been downloaded, according to The Times.
Most police records are private under state law, and when they are used in legal cases the files tend to be significantly redacted.
The Times reported there were 7.7 terabytes of information available for download and more than 337,000 files. The breach further included witness names, health information and unredacted criminal complaints and investigative files, the report said.