The Housing Authority of the City of Los Angeles, or HACLA, is once again dealing with a severe ransomware incident. The Cactus ransomware gang has claimed responsibility for a cyberattack that reportedly exfiltrated nearly 900GB of sensitive data from the organization. This marks HACLA's second major cybersecurity breach in just two years, spotlighting significant challenges in securing critical public sector data.

HACLA, responsible for managing over 32,000 public housing units and overseeing a budget of $1 billion annually, confirmed the attack, "We've been affected by an attack on our IT network. As soon as we became aware of this, we hired external forensic IT specialists to help us investigate and respond appropriately," a HACLA spokesperson told BleepingComputer. The Cactus group claims to have accessed a significant amount of confidential data, including:

To back their claims, Cactus uploaded an archive allegedly containing samples of the stolen data. While HACLA insists that its core systems remain operational, the extent of the breach and the potential damage remain unclear. The agency has not yet specified when the attack was first detected or the timeline of its containment efforts.

This isn't the first time HACLA has been targeted. In 2022, the LockBit ransomware gang managed to breach HACLA's network and maintain unauthorized access for nearly a year before detection. The timeline of the first attack is telling:

The discovery of encrypted systems on New Year's Eve 2022 forced HACLA to take swift action by shutting down its servers and launching an investigation. Despite efforts to mitigate damage, the investigation revealed that highly sensitive data, including Social Security numbers, birthdates, passport and driver's license numbers, tax and military IDs, financial details, and health records had been compromised.

HACLA's decision not to pay the ransom led LockBit to escalate their pressure tactics. They initially published samples of stolen data to prove their possession of valuable information and later released the full data set on January 27, 2023, after failed negotiations.

While the download link on LockBit's extortion site eventually became inactive, reducing the immediate spread, the breach's impact remained significant due to the length of unauthorized access and the sensitivity of the compromised data.

The Cactus ransomware gang, relatively new on the cybercrime scene since their emergence in March 2023, is already making waves with sophisticated double-extortion tactics. This method involves both encrypting files and stealing data, with the threat of public disclosure used as leverage. Their modus operandi includes purchasing stolen credentials, executing targeted phishing attacks, and exploiting vulnerabilities in publicly accessible systems.

By publishing snippets of allegedly stolen HACLA documents on their leak site, Cactus signaled their possession of highly confidential material, ramping up pressure on the agency. This public display underscores the severe security challenges facing public institutions, particularly those that handle large amounts of personal data.