California Statewide Law Enforcement Association hack (Bureau Of Investigation)

This letter is in response to your correspondence dated May 23, 2019, which was received in the Attorney General's Office on May 23, 2019, in which you sought various records pursuant to the Public Records Act as set forth in Government Code section 6250 et seq.

Specifically, you requested:
Records relating to or mentioning the January 2012 hack of the California Statewide Law Enforcement Association.

There are two responsive records; the "plain text document" recovered from the dark web that was exfiltrated from the website and legislative proposal to amend Civil Code section 1798.29 in response to the facts of this breach. The relevant portion of these records are included within this response and are redacted.

Plain Text Document:
This document contains 1021 lines that includes the names, email address, usernames, and passwords of California Statewide Law Enforcement Law Enforcement Association members.
Outside of the above description of this document, the document itself would have to be completely redacted in that it contains certain private identifying information, such as non-commercial addresses, email addresses, and telephone numbers, along with other sensitive personal information such as social security numbers and credit card numbers based on considerations of personal privacy. (Cal. Const., art. I, §1, as incorporated into the Public Records Act by Gov. Code, § 6254, subd. (k); Gov. Code, § 6255.)

Legislative Proposal:
The attorney work product exception protects the confidentiality of any writing that reflects an attorney's impressions, conclusions, opinions, legal research or legal theories that is maintained as confidential. (Code Civ. Proc. section 2018.030.) This confidentiality provision is incorporated into the Public Records Act as an exemption from disclosure. (Gov. Code, section 6254, subd. (k); County of Los Angeles v. Superior Court (2000) 82 Cal.App.4th 819, 833.)
Records such as confidential analyses, draft language and memoranda prepared by the attorneys employed with the Attorney General's Office are subject to the work product exception and are consequently exempt from disclosure under the Public Records Act.

As a courtesy we are providing the following excerpt from that document in that it describes the public actions of the eCrime Unit in response to this breach:
There is no requirement to provide notification if the individual's name in combination with a password is subject to a breach. In the last year we have seen a shift where criminals are targeting websites with unsophisticated security to harvest user names and passwords. Since most accounts are now tied to an e-mail address, the intruders will use this information in an attempt to access the victim's other personal accounts. Unfortunately, most users do not use separate or unique passwords on all their accounts.

In a recent breach targeting California law enforcement, the website provider provided no notification that the users name and password were compromised since there was no requirement to do so. A large number of the victims used the same or similar passwords on other secure state or financial web sites. The information was published and Anonymous encouraged directed attacks against other accounts. The eCrime Unit ended up providing notice to the agents based on the information released by Anonymous.
As to the "notice to the agent" we were unable to find a copy of that document.

Robert Morgester
Senior Assistant Attorney General
eCrime Unit - Office of the Attorney General
1300 I Street, 9th Floor
Sacramento, CA 95814
(916) 210-7251
Robert.Morgester@doj.ca.gov

CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.