California’s Department of Finance has confirmed it’s investigating a “cybersecurity incident” after the prolific LockBit ransomware group claims to have stolen confidential data from the agency.
The California Office of Emergency Services (Cal OES) in a statement on Monday described the threat as an “intrusion” that was “identified through coordination with state and federal security partners.”
The statement did not provide any specifics about the nature of the incident, who was involved or whether any information had been stolen. The California Department of Finance did not respond to TechCrunch’s questions prior to publication.
“While we cannot comment on specifics of the ongoing investigation, we can share that no state funds have been compromised, and the department of finance is continuing its work to prepare the governor’s budget that will be released next month,” the statement said.
While state officials remain tight-lipped about the incident, the notorious LockBit ransomware gang on Monday claimed responsibility for the attack. In a post on its dark web leak site seen by TechCrunch, the Russia-affiliated group claims to have stolen 76GB of files from the agency, including “databases, confidential data, financial documents, certification, IT documents, and sexual proceedings in court.”
Screenshots shared by LockBit lend some weight to its claim, but the ransomware gang’s claims should still be taken with skepticism. In June, the group claimed it breached cybersecurity company Mandiant, which was later revealed as false. The ransomware group faked the incident in response to a Mandiant investigation that demonstrated significant overlaps between LockBit and the U.S.-sanctioned Evil Corp group.
LockBit has given California’s finance department a December 24 deadline to pay its as-yet unspecified ransom demand. If the agency fails to pay, the ransomware gang is threatening to leak the entire cache of stolen data.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
This latest breach comes just weeks after the U.S. Department of Justice in November charged a dual Russian and Canadian citizen linked to LockBit over his alleged involvement in attacks targeting critical infrastructure and large industrial groups worldwide. At the time, the DOJ said that LockBit has claimed at least 1,000 victims in the United States and has extracted tens of millions of dollars in actual ransom payments from their victims.
Ransomware recovery can be costly, and not just because of the ransom
