A single compromised email led to 7.7TB of LAPD data exfiltration - here's what telemetry actually showed

LA City Attorney Breach: 7.7TB Exfiltrated Through a Single Authenticated Session

A compromised email credential at the LA City Attorney’s Office led to the exfiltration of 7.7TB of sensitive LAPD records-case files, forensic evidence, and internal communications. No vulnerability was exploited. No malware was deployed. The attacker authenticated through the front door and walked out with the archive.

Attack Chain

The initial vector was a spearphishing link (T1566.002) targeting an administrative mailbox with broad access to internal repositories. No payload, no macro-a credential harvesting page hosted on a compromised cloud storage endpoint. The victim authenticated to it. Credentials captured.

The attacker used the stolen credentials to log into the organization’s file-sharing portal as a valid user (T1078.004 - Cloud Accounts). No privilege escalation required. The administrative account already had read access to sensitive data repositories. No network segmentation separated the mailbox environment from backend storage-one credential unlocked the entire data tier.

Data was retrieved through authenticated API endpoints (T1530 - Data from Cloud Storage). The exfiltration volume-7.7TB-indicates sustained bulk retrieval over an extended session window. No rate-limiting, no session timeout enforcement, and no bulk-transfer alerting interrupted the operation.

Detection Failure Analysis

This attack generated zero alerts because it produced no anomalous signatures. Every action was a legitimate API call from an authenticated session.

The detection opportunities existed but were not instrumented:

• Azure AD / Entra Sign-In Logs: Login from a cloud provider IP block outside the org’s baseline. Risk detection properties (unfamiliar location, atypical travel) would flag this if conditional access policies evaluated sign-in risk. They apparently did not.
• Unified Audit Log - FileAccessed / FileDownloaded events: Bulk file retrieval from a single session exceeding baseline volume by orders of magnitude. A simple threshold alert on download volume per session per hour would have caught this.
• Session analytics: A single session downloading terabytes without pause deviates from any human access pattern. No UEBA baseline was applied to administrative accounts.
• Network telemetry: Sustained high-bandwidth egress to a cloud provider IP. NetFlow or proxy logs would show the anomaly if anyone was looking at aggregate transfer volume per source identity.

None of these required advanced tooling. All required someone to define what normal looks like for a privileged administrative account and alert on deviation.

The Structural Failure

The root cause is not phishing. Users will always click. The root cause is an architecture where:

1. A single email credential grants read access to terabytes of sensitive law enforcement data.
2. No conditional access policy evaluates sign-in risk before granting access to high-value repositories.
3. No data loss prevention rule limits bulk retrieval volume per session.
4. No UEBA model baselines administrative account behavior.
5. No segmentation separates the authentication boundary from the data tier.

This is not an edge case. This is the default state of most organizations that federate identity across cloud services without implementing zero-trust data access controls.

Every access in this breach was authorized. None of it was legitimate. The gap between those two states is where this organization had zero instrumentation-and 7.7TB of exposure.