Hacker Claims Breach of Chicago Legislative System Exposed Thousands of Records

A hacker named “cc5ab” claims to have breached Chicago’s legislative API.

The leak reportedly exposed more than 177,000 records. Parking permits and even the mayor’s details are part of the leak as well.

City officials have yet to confirm the incident. But the claims already raise serious questions about citizen privacy.

A Hacker’s Claims and Unconfirmed Breach

The Clerk Legislation API is a system that helps manage and publish legislative records for the city. Officials haven’t confirmed anything publicly yet. But the alleged leak sounds significant.

The hacker claims the exposed data goes back over a decade. We’re talking about city legislation, citizen claims, parking permits, court settlements, and official contact details. That is a wide range of information.

Let’s break down what the actor says they got access to.

Legislative Data

The largest of the datasets in the leak is legislative records, and it contains 177,566 legislative actions from 2011 to the present, which includes ordinances, resolutions and orders passed by the city.

Legislative databases are designed to create transparency with respect to the public. The essential question that arises here is whether or not the API exposed too much transparency to the public.

Vehicle Accident Claims

Another dataset allegedly consists of 69,739 data points of vehicle accident claims made. In particular, this data contains full names of claimants, the claim number and the date of the claim. Financial data is not part of what leaked in this database, but data relating to personal identification could be helpful to fraudsters or scam artists.

Accessible Parking Permits

This is the dataset that really bothers me. The dataset in this instance contains 45,472 records and includes the permit number, home addresses and full names of all of the permitted users.

The home addresses associated with these permits are of particular concern. It is entirely possible for a scammer to use this data in conjunction with publicly available data to build a very detailed picture of a person.

City data breaches are a growing concern globally. The Istanbul City app data breach exposed private data of millions on the dark web, highlighting how municipal systems are vulnerable to similar attacks.

Police Misconduct Settlement Records

The hacker has also claimed to possess 461 Settlement Records from Courts related to Police Misconduct. These documents contain the names of the police officers, plaintiffs, and details of the settlements.

These records attract considerable public interest as they deal with legal conflicts between individuals and the police and police accountability.

Legislative Records

According to reports, the biggest dataset may contain 177,566 legislative actions from 2011 and later. These cover legislative actions, records of any ordinances, resolutions, and orders that the city has passed.

The purpose of these databases is to provide transparency to the general public. The major cause for concern is whether the API holds more than ordinary citizens should have access to.

Vehicle Damage Claims

Another dataset reportedly contains 69,739 vehicle damage claim records. This will include first name, last name, claim number and date. They do not contain any financial data in this information. However, the identity portion of this information provides opportunities for scammers and fraudsters.

Accessible Parking Permit

This dataset holds 45,472 records, including permit number, residential address and full name of the person permitted. First, the address is very confidential information. Scammers can take this, combined with publicly available information on a person, and create a detailed profile on that person using that.

Police Misconduct Settlements

Hacker also claims access to 461 police misconduct records that have been settled in court. This dataset reportedly contains the names of the police officers, names of the plaintiffs and information regarding the settlement itself.

These types of public records get the attention of the public very quickly and they deal with issues regarding legal disputes and accountability of law enforcement.

Administrative Records of City Council

City Council Meetings have about 3544 records, including meeting agendas with direct links to PDF documents on Microsoft Azure Government cloud. There is no evidence that Azure suffered any hack attack, but whether the exposed API made document links available is uncertain.

Contact information for Chicago mayors

Personal information regarding city leaders is among the actor’s claims. There’s also complete contact information for 123 current and former city officials, including email addresses, office phone numbers, photographs, and profile information.

It allegedly contains names of former mayors, Rahm Emmanuel, Lori Lightfoot, and Richard Daley, and current mayor Brandon Johnson.

Moving Forward

Security experts recommend that the following actions be initiated immediately:

1. Chicago IT teams audit this API to ensure that access points are secure; securing access to prevent further data extraction is the priority at this point in time.
2. Notify citizens that the leak is potentially affected. The notice should include citizens whose names and addresses are associated with vehicle damage claims and parking permit databases. This will provide them the opportunity to monitor any suspicious activities and reduce their risk of fraud.
3. Investigators need a forensic review of Azure-hosted document access. They should examine access logs and related records. That will show whether unauthorized users viewed or downloaded documents through exposed links.

Right now, the alleged breach remains unconfirmed. City officials haven’t verified the claims publicly. No one has independently established the full scope of exposure. Until they conclude the official investigation, everything remains uncertain.