A week after Dallas revealed 26,212 people have been impacted by the city’s ransomware attack, officials say it’s likely an ongoing review will reveal more people had their personal information exposed. They also believe it could take at least several months to determine the full scope and cost to taxpayers.
Deputy City Manager Jon Fortune and Chief Information Officer Bill Zielinski told The Dallas Morning News the city is working with a forensic firm on what happened and what data was breached. Hackers accessed city servers starting April 7, but the city wasn’t alerted to ransomware in its system until May 3. Starting last week, the city sent around 27,000 letters to mostly employees, former employees and their relatives saying names, addresses, Social Security numbers, medical information and other details were exposed and possibly downloaded. At least one City Council member — Jaynie Schultz — told The News of receiving a letter.
“There will be a second phase of a deeper data dive that will be occurring over the next couple of months,” Fortune said. “By fall, there will likely be a round two of notifications that will include other individuals that will receive notices.”
More details have been released in recent weeks about the scope of the ransomware attack, what city officials know about the incident and when they knew it. But a point of contention for several people impacted is that city officials revealed on Aug. 3 that they knew personal information was accessed by hackers as of June 14. The earliest the city gave any public indication was a July 18 email from City Manager T.C. Broadnax to employees saying some human resources department data was exposed. They believe the city had at least a moral obligation to keep the public up to date on what they knew and when.
Political Points
Get the latest politics news from North Texas and beyond.
“We deserved to know sooner,” said Connie Sanchez, a retired city employee who received notice last week that personal information from her, her husband and their adult son was at risk. “We’re trusting you to keep our information secure. If you know that’s not the case, don’t tell me a month or two after the fact — tell me right now. Even if there’s a slim chance.”
Sanchez, who retired in January 2021 as a City Council liaison after 35 years of city service, said she discovered two credit cards opened in her name in early June. She suspected her personal information may have been stolen from the city since her family still receives health insurance through the municipality. She said she’d never experienced identity theft before.
Sanchez, 59, said she was frustrated when her emails to Broadnax and City Council members wondering if retirees could have been impacted by the data breach went unanswered. She said her family is planning to enroll in a free two-year credit monitoring service being offered through the city.
“At the end of the day, this whole thing has been disappointing,” Sanchez said. “It’s hard not to feel like they just didn’t care to tell us as soon as possible.”
Broadnax did not responded to multiple emails this week from The News with questions regarding the ransomware attack. He acknowledged via text receiving the questions. He declined comment when reached by phone.
What we ‘knew to be true at that time’
Fortune said determining who was impacted, what specific data had been at risk and who to notify were key factors in the city figuring out when to inform people whose personal information had been exposed. A blanket statement saying city data had been accessed “doesn’t meet the legal requirements that we have to abide by,” he said.
“We provided information based on the information that we had and knew to be true at that time. To indicate that we could have done something sooner with a lens of retrospect, it’s easy to kind of jump to that conclusion,” Fortune said. “But if you go back to the moment and where we were at that time and what we knew at that time, it would have been, in my opinion, premature to indicate to people that there’s a problem and you need to do something.”
Fortune said that by June 14, the city still didn’t know when hackers first accessed stored data and didn’t have a process in place to offer free credit monitoring to everyone who could have been impacted. He said it wasn’t until Dallas officials further investigated the breach that they determined hackers had access to city data between April 7 and May 4, rather than it just occurring on May 3, when it was discovered by the city.
“I empathize and certainly appreciate people’s frustration,” Fortune said. “We are all frustrated by being in this situation.”
Zielinski said the city had several cyberthreat monitoring systems in place before the ransomware attack. He chalked up Dallas being hit as a symptom of being targeted by skilled cybercriminals.
“The reality is these are well-funded, sophisticated hackers who do this for a living, and they were able to elude our detection,” said Zielinski, who oversees the city’s information and technology services department.
Zielinski declined to reveal how the hack occurred, how much city equipment had to be replaced and other specific questions about the attack, saying some of those details would be revealed in a report on the cyberattack that will be released in September. He said the City Council is scheduled to be briefed on the after-action report Sept. 6.
“We’re still doing all the review work, and I don’t want to get out in front of that and say something that’s subsequently changed before the report is finalized,” Zielinski said.
He said 99% of the city’s network has been restored since the ransomware attack.
‘Good news can wait’
Dallas officials first told the public about the attack May 3. They have cited a criminal investigation as a reason for providing few details in the months since.
It’s the largest data breach disclosed by a Texas city to the attorney general’s office this year, and the tally indicates that the impact reaches far beyond Dallas’ roughly 13,400 employees.
It doesn’t appear to be the largest breach reported in the country this year. Hillsborough County in Florida, for example, notified more than 70,000 people in July that their personal information was at risk due to a breach involving files kept by their health departments.
Fortune and Zielinski told The News they were among recipients of letters from the city saying their data was exposed. All the letters are signed by Fortune.
“I’ll admit, it is sobering when you get the letter,” Fortune said of being notified like everyone else.
Cybersecurity and legal experts differ in opinion on whether Dallas correctly handled notifying the public.
Matthew Yarbrough, a former assistant U.S. attorney who is a private lawyer with Michelman & Robinson in Dallas, said he believes the city should have notified employees and residents that hackers had access to data as soon as they knew.
Because information can be shared and spread quickly on the dark web, “when you know there’s a chance something could happen, you probably shouldn’t sit on that information,” Yarbrough said.
“You can be clear that you don’t have all the details yet and you’re investigating to know more. But we do know we have Social Security numbers and we know data has been accessed,” he said. “I mean, that’s what you’re here for, right? To protect our residents — not just from physical crime, but also from cybercrime.”
Yarbrough said real-time updates can help with public trust. He noted the city provided several public updates after the ransomware attack was announced on the status of police, fire and library services to let people know if first responders’ computer-aided dispatch system could be restored or when returned library books could be processed.
“You can tell me about checking out library books any day, but my Social Security possibly getting out is a whole different ballgame,” Yarbrough said. “Good news can wait. The bad news, you run to the podium and you start screaming it out loud so people can know and make an informed decision as soon as possible.”
Mitch Thornton, executive director of the Darwin Deason Institute of Cyber Security at Southern Methodist University, said he believes the city could have had legitimate reasons for not immediately issuing mass notifications.
Undergoing the forensic analysis, for example, could help prevent the city from causing unnecessary panic, he said.
“There’s a lot of variables behind the scenes that people are not aware of,” Thornton said. “They don’t want to alert people that they could possibly be victims and then find out later they aren’t.”
Murat Kantarcioglu, a computer science professor at the University of Texas at Dallas, said advice from the city’s legal counsel and law enforcement could also play a role in when information is publicly released related to a ransomware attack.
“Sometimes when they [investigate] with the FBI or law enforcement, they may want to hold on to it to further investigate the activity of the hacker group,” Kantarcioglu said. “If you notify the individuals, of course, the hacker group will be aware of it.”
Local governments can be vulnerable to hackers because many either don’t have the resources or decide not to spend large amounts on cybersecurity due to priorities that are more visible, like parks and police and fire departments, Kantarcioglu said.
Dallas budgeted $110 million for its IT department in data management last fall, and Broadnax recently proposed increasing the budget this year to almost $132 million.
Last year, the IT department’s data management budget was among the top-funded items in the annual spending plan, just under the $111 million parks and recreation budget. The proposed IT budget increase, if approved, would put it above the $120 million earmarked for the parks department this year.
“[Local governments] are easier targets for hacker groups because they couldn’t always make these types of investments,” Kantarcioglu said. “But I hope from now on, all these things show that you have to have these investments because these hacks are much more common now.”
The Dallas City Council on Wednesday approved allocating $8.6 million in payments in response to the ransomware attack. The planned payments would be to vendors for replacing and installing computers and mobile devices compromised in the hack, for the credit monitoring services being offered by the city and other expenses.
‘It’s all about transparency’
The city has previously identified ransomware group Royal as responsible for the breach. The group threatened in a May 19 blog post to publicly share employees’ addresses, Social Security numbers, medical information and other information, but had not appeared to have done so as of Friday. It isn’t clear how much data was taken from city servers.
Dallas’ municipal government isn’t alone in being hit with a ransomware attack. Security and privacy research firm Comparitech found a little more than 390 ransomware attacks have targeted U.S. government organizations between January 2018 and July 2023. The firm’s analysis found the attacks affected an average of more than 21,300 government-held records, and the average ransom paid by those groups was more than $525,000.
It’s not clear if Dallas paid any ransom. City officials have declined to say.
San Bernardino County in Southern California announced in May it made a $1.1 million payment to hackers to settle a ransomware attack on the sheriff department’s computer network. Oakland is facing several class-action lawsuits after its electronic database was hit with a ransomware attack in February.
Jim McDade, president of the Dallas Fire Fighters Association, said his members are meeting with attorneys to discuss possible legal action against the city.
“It’s all about transparency,” McDade said. “They should have been proactive from the beginning in informing us of the situation and offering ways to get us protection, not waiting until it was convenient for them.”
McDade said he and his 10-year-old son received letters from the city saying their personal information was exposed.
Yarbrough said lawsuits against the city over the hack are possible, but it could be difficult to win a case if it goes to trial. In addition to having to prove that they were the victims of identity theft, potential plaintiffs would likely have to prove that any harm they incurred was directly linked to Dallas’ cyberattack and that the city was negligent with their personal information.
“I think it’d be hard for the city of Dallas to argue that they weren’t aware of the threat of ransomware before the attack,” he said. “But how do you prove bad actors didn’t just get your information from some other data breach, like the one from Home Depot several years ago?”
Yarbrough mentioned someone opened a Target credit card in his name within the last 30 days. The applicant had at least Yarbrough’s name, address, driver’s license number and Social Security number. He said close to $500 had been spent on the card before he was able to shut down the account.
Yarbrough said he doesn’t know how his personal information was obtained.
Scott Cole, an attorney representing Oakland employees in the class-action lawsuit, said a cybercrime doesn’t necessarily mean a legal liability.
In Oakland’s case, it was determined hackers leaked hundreds of gigabytes of data. He said Oakland police officers have been concerned people who’ve been arrested by them could obtain their addresses and retaliate against them and their families.
“Is there liability across the board for government entities? There’s just not,” Cole said. “You have to look at how the information was kept, how long it was kept, where it was kept, was it sequestered, was it encrypted, different levels of information are going to require a different treatment.”
Timeline
May 3: Dallas announces being alerted to a likely ransomware attack, that employees are working to prevent its spread and that several servers were compromised. The city says servers were taken offline in response and that impacts include issues with websites for the city of Dallas and the police department, and less than 200 devices were compromised. Emergency responders have to manually take information on calls due to issues with the computer-aided dispatch system.
May 4: The city identifies Royal, a ransomware group, as responsible for the attack. Issues at the time include Dallas Water Utilities not being able to process payments from residents, the municipal court having to close and the city being unable to issue permits or receive applications or payments for development services, permitting, public works and zoning.
May 5: Police and firefighters are still being dispatched by radio and manually taking information on emergency calls. Dallas Water Utilities-related bills can only be paid by mail. Libraries are open, but network outages make it not possible to process book returns and browse online catalogs. Public computers are also down at the libraries. Municipal court remains closed and no hearings or trials are held. Payments for documents and citations can’t be processed.
May 8: Chief Information Officer Bill Zielinski, who oversees Dallas’ information and technology services department, gives a public briefing to City Council members. He says there’s been no evidence that personal information from employees or residents has been leaked and monitoring is continuing. He says an ongoing criminal investigation into the ransomware attack prevents him from sharing specific details about the attack and the city’s ongoing recovery efforts. Websites for the city and police department are back online.
May 9: Municipal court is open but hearings, trials and jury duty are suspended due to network issues. The court still can’t accept payments. Dallas Water Utilities begins accepting payments again and parts of the computer-assisted dispatch system are restored. 311 calls can’t be accepted online or via the city’s app.
May 11: The city reports the controller’s office can resume printing checks to vendors, but there have been no issues with payroll. City officials tell The Dallas Morning News it could take months to fully restore city systems after the ransomware attack.
May 16: The city says the vital statistics department can’t take or process online orders and has limited ability to issue birth and death records. The development services office is unable to process payments. Residents are encouraged to hold onto library books because they still can’t be processed back into the system.
May 17: The development services office can process payments and issue permits.
May 18: The city can accept 311 service requests online and through its app. The FBI says a criminal investigation into the ransomware attack is ongoing.
May 19: Royal publishes an online blog post threatening to release personal information stolen from the city of Dallas. The city says it’s aware of the post and “maintain[s] there is no evidence or indication that data has been compromised.”
May 22: City says municipal court is closed because of a planned system upgrade, but trials and hearings still haven’t resumed and payments can only be accepted by mail. Dallas’ largest police and fire associations send a letter to City Manager T.C. Broadnax demanding the city provide free identity theft monitoring for all of its members for five years.
May 30: Municipal court reopens and payments can be processed online, by mail or in person.
May 31: Municipal court hearings resume. Catherine Cuellar, the city’s communications, outreach and marketing director, emails directions to the Dallas City Council to share little to no details about the city’s ransomware response.
June 2: Zielinski tells The News that the city estimates being “more than 90% complete” in restoring IT systems and services since the ransomware attack.
June 8: Broadnax emails city employees to say the city will be offering free credit monitoring as a precaution because officials haven’t found proof that information from workers or residents has been publicly released.
June 23: Dallas libraries can resume processing book returns, allow residents to browse their online catalog and apply for library cards.
June 28: The Dallas City Council approves a nearly $4 million deal to get a new system that alerts the city’s information technology department of possible cyberattacks.
July 18: Broadnax emails city employees to reveal that hackers accessed personal information stored by the Human Resources department and other areas. He says officials will “be making the appropriate notifications in accordance with our obligations.”
Aug. 3: Dallas officials announce their investigation of the ransomware attack determined hackers accessed city servers and began downloading data on April 7. The city wasn’t alerted to ransomware until May 3, and the unauthorized access stopped on May 4. City officials also reveal that they knew files containing people’s names, addresses, Social Security numbers, insurance information and other details had been accessed as of June 14. The city begins mailing notices to people that their personal information was exposed.
Aug. 7: The attorney general’s office publishes that Dallas reports 26,212 people had their data impacted by the city’s ransomware attack. The city says notice was given to the attorney general’s office on Aug. 3.
Aug. 10: The Dallas City Council approves setting aside nearly $8.6 million in payments for the city’s ransomware attack response.
Staff writer Irving Mejia-Hilario contributed to this report.
/cloudfront-us-east-1.images.arcpublishing.com/dmn/RRPYN3Z7BJFQDLXYCICDVLYKCQ.jpg "Number affected in Dallas ransomware attack expected to grow, city says")
/cdn.vox-cdn.com/uploads/chorus_asset/file/25739950/247386_Elon_Musk_Open_AI_CVirginia.jpg "Inside Elon Musk’s messy breakup with OpenAI")
