A suspected hacker claimed he or she had stolen the personal information of about 2,500 LAPD officers, trainees, and recruits, along with approximately 17,500 police officer applicants, in what may be a large breach of data held by the city of Los Angeles' Personnel Department.
The city's Information Technology Agency said it was contacted last week by someone who claimed to have accessed and downloaded the data, and the person offered some example files to show they actually had obtained the data, said agency General Manager Ted Ross.
"Out of an abundance of caution we're applying extra layers of security around our personnel system and enhancing defenses," Ross told NBCLA Monday.
The affected officers, trainees, and applicants began to receive notifications over the weekend.
An email message said to officers that the department learned of a data breach that involved "some of your information contained within the Personnel Department's Candidate Applicant Program."
The compromised data included the officers' names, dates of birth, parts of their social security numbers, and the email addresses and passwords they set up when applying for the job, according to the message. Additional personal information may have been compromised.
The LAPD told officers in the message they should monitor their personal financial accounts, get copies of their credit reports, and file a complaint with the Federal Trade Commission.
The message did not include an explanation of how the breach happened, or if the city would provide credit monitoring or other services.
An LAPD spokesman said Monday the department was taking steps to make sure its personnel data was safe.
"Data security is paramount at the Los Angeles Police Department, and we are committed to protecting the privacy of anyone who is associated with our agency," the spokesman said.
The officers' union, the Los Angeles Police Protective League, said the breach was a serious security issue, and urged the city to investigate how it happened and improve data security.
"We also call upon the city to provide the necessary resources and assistance to any impacted officer who may become the victim of identity theft as a result of this negligence, so that they may restore their credit and/or financial standing," the Protective League said.
Ross said the purported hacker claimed to have downloaded a "subset" of the city's police officer applicant data, and additional work was being done by the ITA to learn the full scope of the potential theft.
He said it's not clear whether the hacker actually had the full volume of files they claimed to have, and said it may take days or weeks to learn exactly what was taken — and how the data was obtained.
The hacker said they had, "received it through external sources," Ross explained, meaning the person claimed they somehow obtained access to the City's data, rather than it being provided by an insider, such as a former employee or rogue employee.