Data from the city of Collegedale was leaked this week after the city's computer systems were hacked, a spokesperson said.
"Safety measures were in place that allowed the city to quickly recover the data and restore all its systems," spokesperson Bridgett Raper said in an email Tuesday. "The city is continuing to work with its IT provider to assure all data has been accurately restored."
It's unclear if, or how, the city's systems were affected as a result of the hack. Raper did not respond to additional questions Wednesday following the city's statement.
A folder with more than 4,000 documents that appear to be taken from the city's internal system was posted on the dark web Sunday or Monday, Brett Callow, a threat analyst at New Zealand-based information security company Emsisoft, said in a phone interview Monday.
The data was taken by ransomware operation BlackByte, which frequently uploads copies of data taken from public and private organizations on its site to demand ransom payments. The listing for data from Collegedale appeared alongside other listings of data from several private businesses when viewed Monday by the Chattanooga Times Free Press.
"The way these things work is, the attackers will first steal a copy of the data, and then they usually try to encrypt the network as well to lock it up," Callow said. "Sometimes that attack can be blocked, but at that point the data is already stolen."
The documents viewed by the Times Free Press appear to include personal information about employees and crime victims, financial and bank information, and human resources documents. They also include less sensitive information, including training and certification documents for the Collegedale Police Department, budget documents and copies of police reports -- most of which would be subject to Tennessee's public records law.
The leak likely wasn't targeted to harm Collegedale specifically, Callow said, since ransomware groups typically look for systems with vulnerabilities or whose data they think could be profitable to sell.
Hacks like these are becoming more common among local governments and police departments, Callow said.
"Obviously they hold exceptionally sensitive data," Callow said. "In some cases prosecutions have had to be dropped because data has been lost or compromised."
In Oakland, California, a police union in March filed a lawsuit against the city after a recent data leak exposed personal information about city employees, according to KRON4 News. The suit claimed the city didn't have enough measures in place to protect that information, even after its data security was identified as a problem in a 2022 report.
Though a data leak is serious, encryption attacks that actually shut down computer systems pose a greater risk to police departments, Callow said, since they rely on those systems to look up license plates and warrants, enter reports and communicate with each other.
Even paying a ransom doesn't guarantee the data will be taken down, according to Callow. He cited cases in which an organization paid to have data removed from BlackByte or similar ransomware sites, only to have the data pop up on the dark web again later.
Under Tennessee law, organizations that host personal identifying information have to tell people if their data was breached within 45 days of discovering the breach. Tennessee Code section 47-18-2107 allows exceptions for that if revealing the breach would endanger a law enforcement investigation, the law says.