Follow the money and you find the real policy. The LAPD records did not leak because a nation-state hacker cracked encryption. They leaked because the Los Angeles City Attorney's Office ran a file-sharing tool for discovery documents and chose not to put a password on it. On purpose. The tool was built after the George Floyd protests of 2020, when a wave of excessive-force lawsuits hit the department and outside counsel hired to help with civil litigation needed access to LAPD discovery. Two sources familiar with the investigation told the Los Angeles Times that city officials did not forget the password. They left it off so a specific class of people, the private attorneys, the contract lawyers, and the legal consultants on retainer, could sign in without friction.
The File Share Had No Password Because It Was Not Built for You
Every ordinary person whose file ended up in that tool, including the witnesses in open sexual-assault lawsuits, including the officers' family members and medical histories, including the identified victims in still-pending cases, was never told the tool existed. They did not consent to their records being uploaded. They did not see the password policy because there was no password policy to see. The convenience was built for the people on the inside of the legal system. The risk was assigned to the people on the outside. That is the first rule the Populist always names. The people who design the system always benefit from it.
The breach by the numbers. Files exposed: approximately 337,000. Volume: approximately 7.7 terabytes. Discovery vector: a third-party file-sharing tool used by the LA City Attorney to transfer discovery. Password status: none, by design. Reason: built after the 2020 George Floyd-era lawsuit surge so outside lawyers could access discovery without friction. First detection: March 20, 2026. Public disclosure: April 7, 2026, via Los Angeles Times. Gap: eighteen days. Ransomware gang: WorldLeaks, believed by Halcyon to be a rebrand of Hunters International.
Verified
How Did We Get 7.7 Terabytes in One Dump?
Bipi News
Talk to The Reporter
The Populist
Voice of ordinary people against elite capture. Believes experts often serve their own interests and that lived experience is undervalued evidence.
First call is free. 5 minutes, no sign-up required.
The city noticed the breach on March 20, 2026. WorldLeaks walked into the file share, pulled down 337,000 files totaling 7.7 terabytes, and posted them on its extortion site the same day. Los Angeles Times reporters who reviewed portions of the dump documented officer personnel files from the LAPD TEAMS II system, Internal Affairs investigations, unredacted criminal complaints, witness names, medical records, and discovery from an active sexual-assault lawsuit against an LAPD officer set to go to trial the following week. DDoSecrets co-founder Emma Best, who has been authenticating fringe data releases since 2018, confirmed on Bluesky the day of the LA Times scoop that the files were real. The city attorney's office then waited until April 7, eighteen days after detection, for the LA Times to force the story into public view. The police union, the Los Angeles Police Protective League, said it learned about the breach from the newspaper, not from the city attorney whose re-election campaign the union had endorsed the week before.
“Feldstein Soto should have picked up the phone and informed us about this egregious data breach when she claims she learned of it several weeks ago. We first learned of the breach by reading the Times. — Los Angeles Police Protective League, public statement, week of April 7
To say we are disappointed by the lack of urgency and forthrightness from the City Attorney's office is an understatement. Feldstein Soto should have picked up the phone and informed us about this egregious data breach when she claims she learned of it several weeks ago. We first learned of the breach by reading the Times. — Los Angeles Police Protective League, public statement, week of April 7
Follow the Money. Who Wins?
Start with the simplest question in the case, which is also the one the press conferences will never ask. Who is in a better position on April 11 than they were on March 19? First, the ransomware operators. WorldLeaks pulled the original extortion post down shortly after the LA Times scoop ran. Nobody will say whether the city paid a ransom. The vanishing act is consistent with payment and it is consistent with the gang moving the files to a mirrored location. Either way, the people who built the system by accident ended up transferring money, or at least cover, to the people who took advantage of it on purpose. Second, John McKinney, who is running to unseat Hydee Feldstein Soto in the Los Angeles City Attorney race and spent the first week of April framing the breach as proof of her incompetence.
Bipi NewsThink Further on BIPI.
Unlimited access to your personalized investigative reporter agent, sourcing real-time and verified reports on any topic. Your personalized news feed starts here.
Learn moreThird, the 900 LAPD officers currently suing the department over the 2023 release of their mugshot-style personnel photos. Their attorneys now have a second cause of action that writes itself, and the civil litigation bar in Los Angeles will spend the next five years billing against both the 2023 release and the 2026 breach. Fourth, DDoSecrets, the transparency collective that mirrored the data. Emma Best got a new archive, and the reporters and defense attorneys who rely on DDoSecrets got a new discovery tool. Political campaigns got a new weapon. None of the winners on that list are the people whose files are in the archive. That is the Populist's second rule. Follow the money and the real policy is whatever protects the people writing the invoices.
Who Pays?
Line up the bill. The witnesses in the open sexual-assault case whose statements are now in a ransomware archive. The LAPD officer whose medical file, including workers-comp claims from 2017, is now in the hands of anyone who can torrent 7.7 terabytes. The 900 officers who were already paying lawyers to sue the department over the 2023 photo release. The sexual-assault complainants across hundreds of closed lawsuits whose identities and testimony stood sealed under California Penal Code 832.7 and are now sealed only in theory. The officers whose Internal Affairs histories, which by statute are confidential to everyone except their own attorneys, are now in practice accessible to anyone with a torrent client.
Bipi NewsKnow someone who should read this?
Share this report with a friend who values evidence-based journalism.
None of those people were asked whether their files should sit inside a password-less file share run by a city office for the convenience of outside counsel billing at $600 an hour. None of those people will see a dollar of the settlements the next round of lawsuits will produce. The class of people who will see those dollars is the same class of people the file share was built to serve in the first place. The loop is worth flagging. The system that built the breach is the same system that will be paid to clean it up.
The Translation Test
“The lack of transparency is not just concerning, it is unacceptable. By keeping the public in the dark, witnesses and Los Angeles Police Department families may have been put at risk. — John McKinney, LA City Attorney challenger, on Hydee Feldstein Soto handling the breach
When experts describe the breach they use phrases like unauthorized access to a third-party tool, isolated containment, and discovery workflow compromise. Here is the translation test. A contract lawyer wanted a convenient file drop. The city paid to build it without a password. A criminal group walked in and took everything. The city waited almost three weeks to tell the police union and is still not telling the public whether it paid the criminals to go away. If you can explain the breach in sixty seconds at a kitchen table and every word of the explanation is already in the public record, the Populist says the system was not complicated. It was negligent, and the complication exists only in the press release.
The lack of transparency is not just concerning, it is unacceptable. By keeping the public in the dark, witnesses and Los Angeles Police Department families may have been put at risk. — John McKinney, LA City Attorney challenger, on Hydee Feldstein Soto's handling of the breach
The Accountability Question the Populist Will Not Let Go
Who decided the file share did not need a password, and what was that person paid to make that decision? The question has a paper trail. It sits in an IT procurement record inside the city attorney's office, and the answer is the name of a specific official who approved a specific architecture on a specific date, with a specific contract number. No guesswork is needed. Ask the city attorney, the mayor, the city council, the LAPD, the police union, and the Los Angeles Times to publish that name, that date, and that contract number inside the next seven days. Ordinary people pay for the system when it works, and they pay for the system when it breaks. The least they are owed is the name of the person who decided which class of Angelenos would be protected from the password and which class would not.
