The Dallas City Council on Wednesday approved nearly $8.6 million in payments for services related to the ransomware attack earlier this year, including credit monitoring for potential identity theft victims.
The City Council asked no questions about the payments before unanimously approving the agenda item. The names of the vendors receiving the money, how much each vendor is getting, and what specific services were provided were not laid out in any publicly available documents. A list of what the money is being set aside for was provided to The Dallas Morning News by Deputy City Manager Jon Fortune after the council meeting.
Fortune told the council during the meeting that the city mailed about 27,000 letters starting last week notifying mostly current and former employees, such as retirees, that their data was exposed and that the city is offering credit monitoring because of it.
The $8.6 million is coming from two different city reserve funds to pay invoices to vendors for new hardware, software, consultants, monitoring and other professional services described as emergency purchases made because of the cyberattack, according to city documents.
According to the city, the money is going toward:
– New storage devices, servers, laptops, desktop computers and mobile dispatch computers for police and fire vehicles to replace ones that were compromised or damaged in the ransomware attack.
– Temporary staff who aided in the city’s recovery efforts.
– Credit monitoring services, identity protection, call center and notification support.
– Forensic accounting
– Recovery and restoration services for city applications and systems.
– Installation for new hardware and equipment.
– New and additional software licenses to enhance the city’s cyber security, response and recovery efforts.
The city is planning to file insurance claims and put any reimbursement received into its general fund contingency reserve fund, which is 65% of the funding source for these invoice payments. The rest is from the city’s liability reserve fund.
The payment approval comes three months after the city announced being hit with a ransomware attack on May 3.
It wasn’t until last week that Dallas officials publicly confirmed that hackers had downloaded sensitive information from city servers and began notifying people potentially impacted. Dallas officials said they knew as of June 14 that hackers had access to city-stored personal information.
The city has previously said ransomware group Royal was responsible for the breach.
The attorney general’s office published Monday that the city reported at least 26,212 people are suspected of being impacted by the cyberattack. The city’s notice to the attorney general’s office says the data breach included names, addresses, Social Security numbers, and medical and health insurance information.
The letters contain offers for two years of free credit monitoring through Equifax, tips on how to protect personal information, and a number people can call for more support.
“If you got the letter, it doesn’t mean you were a victim of fraud or that there’s any concern that you need to have as it relates to someone using that information,” Fortune said, “Although we can’t rule that out, obviously.”
Fortune said an investigation into the data breach is still ongoing and the city has hired a forensics firm to help determine the scope of people whose sensitive information was exposed. He said that group could also include residents who aren’t related to current or former city employees.
The City Council met in closed session after the vote to discuss matters related to the ransomware attack. Three council members told The News that they weren’t aware of how many people were impacted by the cyber attack before a tally was reported to the attorney general’s office.
City Manager T.C. Broadnax didn’t respond to questions on whether the mayor and City Council members were told the amount of people impacted by the ransomware attack before Tuesday and why city officials didn’t announce in June that they knew people’s personal information had been accessed by hackers. Catherine Cuellar, the city’s communications director, declined comment on the same questions.
“I do not have additional information beyond what was discussed in council this morning and has been previously shared,” Cuellar said. “Please pardon any inconvenience, and if that should change I will reach out.”
Dallas officials ask anyone who believes their personal information may have been affected by the ransomware attack and haven’t received notice from the city by Aug. 17, to call a toll-free response line, 833-627-2708. The response line is available Monday through Friday, 8 am to 8 pm Central Time, except on major holidays.