Dallas officials say they will disclose more information regarding the ransomware attack in a report to City Council members this week.
But they provided a few new details in an interview with The Dallas Morning News last week, the first time City Manager T.C. Broadnax agreed to a sit-down talk about how hackers were able to access the personal information of at least 30,000 people.
The data breach started April 7, but wasn’t discovered by the city until May 3. Four months later, Broadnax, Deputy City Manager Jon Fortune and Chief Information Officer Bill Zielinski still declined to say how the hack occurred, what departmental data — other than health benefits information stored by human resources — was accessed, and how much information was downloaded from the city.
“I want to wait until (the report) is finalized to share that information,” said Zielinski, who oversees the city’s information and technology services department. The briefing to the City Council will be on Wednesday, he said.
Zielinski revealed that for at least the last four years the city has been doing simulated training to prepare for how to deal with cyberattacks, including getting guidance from the Department of Homeland Security. He also said the federal government had been putting out advisories since at least March warning of an uptick in cyberattacks targeting local municipalities.
“I wish we were perfect,” Zielinski said. “I wish we had a perfect track record in terms of being able to detect these things. But these groups work hard to figure out how they can escape detection.”
When asked what made Dallas’s system vulnerable when other Texas cities, such as Houston, San Antonio and Austin haven’t reported ransomware attacks in recent years, he said, “We’ll actually be sharing more information that’s directly responsive to this question during the Sept. 6 briefing.”
The decision to provide little information to the public about the attack has drawn criticism for months, with employees only learning in mid-July that their health care data was stolen. Dallas officials said they knew as of June 14 that hackers had access to city-stored personal information.
City officials have cited an ongoing criminal investigation into the hacking as reason to release few details of the incident. They also haven’t said if any ransom has been paid to hackers related to the data breach.
Broadnax defended the gap in release of information, saying it was necessary for city officials to be as precise as possible about what data had been accessed and who was affected. But he acknowledged that the city’s overall communication to residents and employees could have been improved.
“Could we do better? I think, from a communication standpoint, at least, what people believe we should be communicating? I would say, yeah, we can always do better,” Broadnax said. “But I think how we’ve approached it, particularly being measured in trying to understand and know all of what it is we were going to be sharing, and the magnitude of it before we shared it to make sure that the information was accurate and helpful, I think we’ve done a great job.”
Broadnax said the city had been building up its cybersecurity in recent years, including requiring employees to use a multi-step login process to access city systems. He noted the information and technology services budget related to data had grown from $77 million in 2018 to $110 million this year.
The latest draft of the upcoming city budget that Broadnax has proposed calls for an increase to $132 million.
“I think the impacts could have been much worse, particularly given the size and breadth of our organization,” Broadnax said.
Zielinski said the city’s network is just about fully restored after the attack and that the city will continue to investigate the attack and its impacts even after presenting the report to the City Council next week.
Fortune cited an ongoing internal investigation as one reason city officials could not list all of the departments where information had been accessed. When asked directly whether Dallas Water Utilities, which stores information about nearly every utility customer in the city, was impacted, Fortune declined to say.
“I’m not going to get into hypotheticals: ‘We think it’s this area, that area.’ Until we complete that investigation,” Fortune said. “I’m not going to be in a position to tell you those departments. Until we can complete that extensive review, I don’t want to cause anybody in this organization or this community to feel vulnerable when we don’t have facts yet.”
The city reported the data breach to the U.S. Department of Health and Human Services in August, saying personal information from 30,253 people in Dallas’ self-insured group health plans was exposed during the breach
Also in August, the city sent about 27,000 letters, mainly to employees, former employees and their relatives explaining names, addresses, Social Security numbers, medical information and other details were exposed and possibly downloaded.
They said it’s likely the number of people determined to be impacted by the ransomware attack will grow by the fall.
It’s not clear how much data was taken from city servers. The city has identified ransomware group Royal as responsible for the hacking. The group has threatened to release city-stored information, but the leak doesn’t appear to have happened as of Thursday.
The City Council on Aug. 9 approved setting aside nearly $8.6 million to pay vendors for hardware, software, incident response and consulting services in response to the ransomware attack.
Zielinski said the report to the City Council would also include recommendations on how the city can improve its security to help stave off future attacks.
I think what residents can be confident in is that we take these threats very seriously and that we continue to make investments in security so that we can guard against these kinds of attacks in the future.”