Hackers release personal info of 22 D.C. police officers

A ransomware gang that hacked Washington's Metropolitan Police Department published extensive profiles of 22 officers Tuesday as part of an extortion attempt.

The files on current and former police officers are detailed and include personal information such as Social Security numbers, dates of birth, results of psychological assessments, copies of  driver’s licenses, fingerprints, polygraph test results, as well as residential, financial and marriage history. NBC News reached two officers whose profiles were published  using the phone numbers listed in them and verified their identities. Both said they had not been  told by  the department that their specific information had been accessed.

The department was first hacked in April. A ransomware gang soon claimed responsibility and later published profiles of five officers, then took them offline as it apparently entered negotiations with the department.

But those negotiations appear to have fallen through. According to an alleged correspondence with the department that the hackers published Tuesday, they demanded $4 million to not publish more stolen files.

The department countered with an offer of $100,000, saying its “spending is closely controlled.” The hackers responded that the counteroffer was “unacceptable.”

The hack is entirely distinct from the attack on the Colonial Pipeline and conducted by a different group, though both are Russian-speaking outfits. But both are part of a larger trend of ransomware attacks in which increasingly brazen organized criminals, usually based in Russia or Eastern Europe, hack American entities and demand money to either unlock their computers or not publish sensitive data.

The Metropolitan Police Department profiles are each stored as a PDF for individual officers. Most are more than 100 pages long, and one is more than 300 pages.

The department, which previously said it was aware of a cyber incident, didn’t respond to a request for comment for this story.

There have been more than 100 confirmed attacks against U.S. targets  this year alone, including state and local governments, schools, financial institutions, health care organizations and manufacturers, according to an analysis provided by the cybersecurity firm Recorded Future. Ransomware cost victims around $75 billion in 2020, according to an estimate by the cybersecurity firm Emsisoft.