City officials say files containing sensitive information — including Social Security numbers, insurance and even medical records — were accessed by “an unauthorized third party” as part of the May 4 ransomware attack.
The revelation comes after weeks of assurances from the city that no personal data had been compromised.
A Thursday press release also said the data had been compromised as early as June 14 — almost a month and a half ago.
“The City has taken steps to identify and remediate the cause of the incident and encourages individuals to be vigilant in reviewing their financial statements and credit card reports,” the press release stated. “The city has also established a dedicated response center for those affected to send questions and receive assistance.”
It was not clear how long the city knew about the compromised data.
In May, a few weeks after the initial attack, the hacker group Royal threatened to leak sensitive information via their blog. At the time, city officials released a statement saying they were aware of the threat.
In late June, the Dallas City Council approved a $3.9 million cybersecurity contract, with little discussion. The contract authorized the city manager to pay the consulting group Netsync for “support of a threat and anomaly detection system” for the city’s IT department.
City officials say they have started reaching out to individuals who were potentially affected by the ransomware attack and are offering resources.
“Although the City is not aware of any identify theft or fraud resulting from this incident, it will provide involved individuals with two years of free credit monitoring and identity theft protection,” the press release said.
Got a tip? Email Nathan Collins at ncollins@kera.org. You can follow Nathan on Twitter @nathannotforyou.
KERA News is made possible through the generosity of our members. If you find this reporting valuable, consider making a tax-deductible gift today. Thank you.
