Events D.C. employee data published online following cyberattack

Comment

Nearly two months after D.C.’s official convention and sports authority said it was the victim of a cyberattack that may have compromised sensitive information about its employees, a ransomware group now appears to have published a tranche of data and documents from the agency on the dark web.

Events D.C. serves as the landlord for Nationals Park and also oversees the Walter E. Washington Convention Center and the RFK Stadium-Armory Campus, among other city attractions and activities. In a news release in October, Events D.C. revealed that “limited parts of its network” had been compromised by a cyberattack, and that it had moved swiftly quickly to curtail it — notifying law enforcement, including the FBI, while bringing on a data forensics expert to investigate.

At the time, Events D.C. said that a preliminary investigation suggested that “some sensitive information of our employees may have been compromised.”

On Friday, Events D.C. said in a new statement that it was recently made aware of “criminals who illegally accessed our system [and] published some data on the dark web,” which it said was possibly connected to the incident it described in October. The agency said it had no indication of a new attack and has not used the term ransomware to describe the breach, though the hacker group that claims to be responsible is known to use ransomware to attack companies and obtain sensitive files.

“We’re evaluating this apparent release of our data,” Events D.C.’s statement said. “Although we have no indication that anyone’s information has been used to commit fraud or identity theft, we offered our employees credit protection services at no cost out of an abundance of caution. Our investigation is ongoing.”

The statement did not specify how many of the agency’s 400 employees were impacted by the breach. The agency told Washington Business Journal in October that customer data may have also been stolen, but it did not respond to questions Friday related to whether customers were affected.

The hackers, who call themselves BlackCat/ALPHV, published Thursday what they say amounts to 80 gigabytes of internal Events D.C. files. The batch of files also appeared to contain incident and injury reports filed by customers who were impacted by the breach; one of those files says “DO NOT COPY or distribute this report without prior authorization from the Director of Operations or the General Counsel of the Authority.”

The data also appears to include documents like contracts, board minutes, bank statements and tax forms for employees, which contain sensitive information like Social Security numbers. Hacked materials included an apparent city plan to hold a major sports event on the Mall. Another file, labeled confidential, goes into granular details about arena security requirements of a major sports league.

Events D.C. has not confirmed the authenticity of the posted documents. Angie Gates, who was named the agency’s new president and CEO in October, was not available for an interview early Friday evening.

In April, the FBI said that many BlackCat/ALPHV developers and money launderers are “linked to Darkside/Blackmatter,” Russian cyber gangs that claimed responsibility for cyberattacks on Colonial Pipeline and an Iowa grain cooperative last year. Both of those cyber gangs have said they’ve shut down.

BlackCat/ALPHV has also claimed responsibility for hacks of dozens of organizations. This week, the Department of Health and Human Services warned health care organizations to be on alert, writing that the group “is known to have targeted the healthcare and public health (HPH) sector and is expected to continue.”

Last year, hackers posted hundreds of pages of purported internal D.C. police department documents after infiltrating the department’s computer network; the hacking group involved in that dump, called Babuk, threatened to release more documents if its demands for money were not met.