Massive hack exposes emails from top Lightfoot officials

A massive cache of tens of thousands of hacked emails detailing the inner workings of Mayor Lori Lightfoot’s administration was leaked to the public last month apparently in response to the fatal police shooting of 13-year-old Adam Toledo.

The emails were posted online on April 19 by Distributed Denial of Secrets, a nonprofit whistleblower group similar to WikiLeaks that’s facilitated other recent high-profile data dumps. An unrelated hacker gang initially stole the files during a series of data breaches that swept up sensitive information from corporations, universities and government bodies.

Freddy Martinez, a local activist and member of DDoSecrets’ board, said his team discovered the files on the “dark web,” an unchecked portion of the Internet that’s a haven for cybercriminals. DDoSecrets ultimately posted the voluminous collection of emails after realizing they contained information “the public should know,” Martinez said.

“In light of the killing of Adam Toledo, we have decided to publish a cache of emails from the City of Chicago and the Chicago Police Department,” DDoSecrets noted in a post announcing the release.

The email accounts contain header information to indicate they belong to Susan Lee, the former deputy mayor of public safety; Patrick Mullane, Lightfoot’s former deputy press secretary; Tamika Puckett, the city’s former chief risk officer; and Anjali Julka, the former Freedom of Information Act officer for the mayor’s office. But they include emails that contain header information indicating they were authored by a host of city officials, including Lightfoot.

Kristen Cabanban, a spokeswoman for the city’s Law Department, didn’t immediately raise concerns about the authenticity of the hacked files when she responded on April 21 to a Sun-Times inquiry about the data breach.

But on Friday, shortly before the city issued a news release about the hack, Cabanban said city agencies wouldn’t comment on the content of the emails. In her latest statement, Cabanban claimed there’s “no evidence” to suggest the files are genuine, adding that reporting on them “makes all of us less safe and encourages future bad actors to use nefarious means to gain information.”

City Hall’s secret emails

City Hall’s secret emails: An occasional series by the Sun-Times detailing the highlights of thousands of hacked emails from Chicago’s City Hall

“Hackers of government-related materials are known to manipulate and alter illegally obtained emails and documents,” she said.

Cabanban previously said city officials learned of the breach on Feb. 11 and immediately notified federal law enforcement. By then, it’s likely the authorities were already aware.

50,000 documents, 750,000 images

The hacked files, which also include roughly 50,000 documents and nearly 750,000 images, were swiped during recent data breaches targeting Accellion, a firewall vendor whose dated file-sharing network was compromised by organized cybercriminals.

The hackers were able to snatch up sensitive data from a variety of reported victims, including the oil giant Shell, Stanford University and the state of Washington.

Clop, the ransomware crew that claimed responsibility for the hack, has used the stolen data as a means for extortion, threatening to make information public while negotiating for huge payoffs to make it disappear. Security researchers believe the group is based in the Commonwealth of Independent States, which includes Russia and other former Soviet Union countries.

On Feb. 25, the U.S. Cybersecurity and Infrastructure Security Agency issued an alert with authorities from four other countries, saying the Accellion hacks “impacted organizations globally.”

“Actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal and territorial government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors,” the alert stated.

Anthony Vazquez/Sun-Times file photo

The emails from members of Lightfoot’s administration were taken when the hackers stole files from Jones Day, a prestigious law firm that represents the city and other high-profile clients, including former President Donald Trump.

Jones Day didn’t respond to repeated requests about the breach, which was first reported days after the city was informed that officials’ emails and documents were included in the virtual heist. Those reports, however, didn’t mention the city’s files were taken.

In her earlier statement, Cabanban said the stolen city documents were shared with Jones Day as part of the firm’s pro-bono inquiry into “the circumstances surrounding the Anjanette Young case,” referring to the social worker who was the victim of a humiliating botched raid carried out by Chicago police officers in 2019.

Young sued the city earlier this year in Cook County court alleging that Lightfoot and other high-ranking officials “became involved in the conspiracy to cover up these grotesque human rights violations.” The suit came after another case Young filed in federal court was dismissed.

Breach occurred from data transfer

Though Jones Day hasn’t been listed as an attorney in either case, Cabanban explained the firm worked with the city’s Department of Assets, Information and Services to gather certain data, like emails between city employees and agencies.

“The City and AIS worked to ensure appropriate security measures were in place. Despite these efforts, the breach occurred as a result of a transfer of data from Jones Day to its selected third-party vendor,” Cabanban confirmed.

Cabanban acknowledged the city has “a longstanding legal relationship” with Jones Day that includes other matters, but she claimed the hack “solely involved data” related to the firm’s inquiry into Young’s case.

The hacked emails include some conversations about the wrongful raid targeting Young. But they also offer a look inside Lightfoot’s administration during crucial moments of the mayor’s first term in office, including the start of the coronavirus pandemic and the uprisings last summer that gave way to waves of violence and looting.

DDoSecrets, the group that leaked the emails, has facilitated a series of similar data releases in recent years. That includes leaking information about those who donated to teenage vigilante Kyle Rittenhouse’s defense fund and publishing videos and images from the far-right social network Parler, including posts made during the insurrection at the U.S. Capitol.

Perhaps most notably, last year’s #BlueLeaks disclosure made public a trove of hacked documents created by law enforcement agencies and provided to fusion centers, or hubs that promote information sharing between local, state, tribal, territorial, and federal agencies. The data was reportedly stolen by the hacktivist group Anonymous.

Feds have called leakers a ‘criminal hacker group’

The Department of Homeland Security notes that fusion centers “conduct analysis and facilitate information sharing, assisting law enforcement and homeland security partners in preventing, protecting against, and responding to crime and terrorism.” Chicago’s fusion center, known as the Crime Prevention and Information Center, is located at Public Safety Headquarters.

In the wake of that disclosure, the DHS’ Office of Intelligence and Analysis labeled DDoSecrets as a “criminal hacker group.” Martinez said that’s a misnomer and claimed the group’s aim is journalistic in nature.

“That unit specifically has a long history of inflating threats. ... It’s just a way of criminalizing journalism in very unnecessary ways,” said Martinez, who’s also the director of the Chicago-based transparency group Lucy Parsons Labs.

He said DDoSecrets has put out calls for information worth publishing, but some of the data the decentralized group has published — like the city emails — is simply pulled from the dark crevices of the net. Clop has incrementally posted data from the Accellion hacks on the “dark web” as part of its extortion efforts.

“The information was sort of already out there,” he said. “We just sort of curated it and are republishing it, as is our right [under] the First Amendment.”

Martinez said his group treads lightly when dealing with information hacked by groups like Clop, weighing its value to the public against the potential for personal information being released.

In this case, Martinez said the group chose to release the emails “because a lot of the information that people really need is hidden in these relationships, like attorney-client privilege or its deliberative process.” Even if the group sought similar information through public records requests, Martinez added, “we wouldn’t get anything like it, anything close to what is in the release.

“These sorts of relationships are so hidden from the public, for the most part, that it’s very important to show the inner workings of certain behind-the-scenes government operations,” he said of the emails.

Editor’s note: This is the first of an occasional series about City Hall’s secret emails.