🗄️ Assets

World Leaks Exposes 7.7TB of LAPD Records After City Attorney's Discovery Tool Breach

Extortion group World Leaks has published more than 337,000 sensitive LAPD files — including officer personnel records, Internal Affairs investigations, and witness medical information — after breaching a third-party legal discovery transfer tool used by the Los Angeles City Attorney's Office. The incident illustrates how legal and compliance workflows that touch sensitive data are increasingly targeted as a softer entry point than agency systems themselves.

4 min read
#data-breach#extortion#third-party-risk#police-records#discovery-data#world-leaks#sensitive-data

When the Los Angeles City Attorney’s Office detected unauthorised access to a third-party file-transfer tool on 20 March 2026, the compromised system wasn’t a police database or a government network. It was a commercial platform used to transfer legal discovery materials to opposing counsel and litigants in civil cases involving the LAPD. The attacker was World Leaks — a data extortion group that emerged in early 2025 as the successor to the Hunters International ransomware operation — and by the time the breach became public on 8 April, they had already published 7.7 terabytes of material: more than 337,000 files containing records California law treats as among the most sensitive held by any public agency.

What Was Taken

The exposed dataset cuts across some of the most confidential categories of law enforcement information. Officer personnel files, Internal Affairs investigation records, disciplinary findings, and unredacted criminal complaints were all included. Discovery documents from closed and settled civil lawsuits brought additional exposure: witness names, medical records, and personal details of litigants who had no expectation their information would become public. At least one file relates to an active 2022 sexual assault allegation against a serving officer.

California’s Pitchess statute restricts access to police personnel records even within the justice system. The fact that these records were accessible via a third-party discovery portal — designed to facilitate legitimate legal workflows — demonstrates how compliance processes create data exposure surfaces that are rarely assessed with the same rigour as primary enterprise systems.

World Leaks and the Pure Extortion Model

World Leaks’ operational model is a significant departure from traditional ransomware groups. Where Hunters International encrypted victim systems and demanded payment for decryption keys, World Leaks skips encryption entirely. The group exfiltrates sensitive data, threatens public disclosure, and publishes everything if a ransom is not paid. This approach has several implications for defenders:

  • No encryption event to detect. There is no ransomware detonation, no sudden file-extension changes, and no ransom note dropped on endpoints. The only observable event is data exfiltration — often indistinguishable from legitimate bulk file access if DLP and anomaly detection controls are weak.
  • Data is the leverage. Payment no longer guarantees system restoration; it only (theoretically) prevents publication. Victims have no guarantee of deletion even if they pay.
  • Reputational and legal harm is immediate. Once files are published on a leak site, the damage to affected individuals — in this case, serving police officers, witnesses, and assault victims — cannot be undone.

The FBI’s Los Angeles field office has confirmed it is assisting and coordinating with law enforcement partners. LAPD has stated its own systems were not directly accessed.

Why Third-Party Discovery Tools Are High Risk

Legal discovery platforms occupy an unusual position in the data custody chain. They receive highly sensitive documents from protected systems, but they are typically procured, configured, and managed by legal departments rather than security teams. Security review of these tools — including penetration testing, access logging, and data retention controls — is often absent or superficial.

This incident is not isolated. Legal-sector technology providers have become attractive targets precisely because they hold the most sensitive records an organisation produces (litigation documents often contain everything damaging about an organisation) whilst operating under less scrutiny than primary enterprise infrastructure.

For security and legal operations teams handling discovery or litigation data:

  • Audit every third-party tool that receives sensitive organisational data. Legal discovery platforms, e-disclosure tools, and secure file-transfer services should all be subject to the same vendor risk assessment process as core IT infrastructure.
  • Apply data minimisation to discovery workflows. Shared discovery portals should contain only the specific documents required for each matter, with access scoped to named parties, not open to bulk export.
  • Enable DLP controls on outbound transfers. Bulk downloads from legal document repositories should trigger alerts. If a system designed to share individual case files is transferring terabytes in a single session, that is a detectable anomaly.
  • Review retention policies. Discovery portals should not indefinitely retain documents from closed and settled matters. Define and enforce deletion timelines once a case concludes.
  • Assess whether current vendor contracts require breach notification SLAs. The City Attorney’s Office detected unauthorised access on 20 March; public disclosure came 19 days later. Understand your contractual rights to prompt notification from third-party providers.

For public sector and law enforcement agencies, the lesson is that data sensitivity classifications must follow data wherever it travels — including into the workflows of external counsel, litigation support vendors, and discovery technology providers.