Computer hackers accessed the personal information of at least 26,212 Texans in a ransomware attack on the city of Dallas, according to an official disclosure made public Monday, three months after the breach.
The city’s notice to the Texas Attorney General’s Office says the data breach included names, addresses, social security numbers, medical information and health insurance information. The information was published Monday. The city said the details were reported to the attorney general’s office on Thursday.
The disclosure, which is required by law, marks the most detailed information yet about the scope of the cyberattack, which has hampered city services in various ways for months. Dallas officials first told the public about the attack on May 3. They have cited a criminal investigation as a reason to provide few details in the months since.
It’s the largest data breach disclosed by a Texas city to the attorney general’s office this year, and the tally indicates that the impact reaches far beyond Dallas’ around 13,400 employees.
The notice was published 97 days after the city first disclosed the attack. Catherine Cuellar, the city’s communications director, said Tuesday that Dallas delayed reporting to the attorney general’s office because the city’s initial investigation of the breach and determining the sensitive information that was accessed didn’t end until late July.
“The investigation and data review process remain ongoing,” Cuellar told The Dallas Morning News.
State law requires organizations to disclose data breaches to the attorney general’s office no more than 60 days after discovering it happened. There are a few exceptions.
Notification can be delayed at the request of law enforcement if investigators believe notice could hamper a criminal investigation. It can also be delayed to determine the scope of the breach and “restore the reasonable integrity of the data system,” according to the law.
It wasn’t until last week that the city told the public that hackers could have been downloading personal data from city servers between April 7 and May 4. Dallas officials also say they knew by June 14 that hackers had accessed personal information stored on city servers, but city officials did not disclose that fact until July 18 when City Manager T.C. Broadnax sent an email to city employees saying some human resources department data was among information exposed during the ransomware attack.
The city has previously identified ransomware group Royal as responsible for the breach. The group threatened in a May 19 blog post to publicly share employees’ addresses, social security numbers, medical information and other information, but has not appeared to have done so as of Tuesday. It isn’t clear how much data was taken from city servers.
Cuellar told The News on Friday that officials were starting to mail notices to employees and residents whose information may have been stolen. Employees are being offered two years of free credit monitoring and identity theft protection services, but it’s not clear if anyone else impacted will be offered the same services with the city.
A copy of an Aug. 3 letter sent to a city employee, obtained by The News, also says people’s birth dates and medical diagnoses may have been among the sensitive information stolen. The letter sets a Nov. 30 deadline to enroll in the credit monitoring, which would include up to $1 million in identity theft insurance coverage.
“Your privacy and the security of the personal information we maintain is of the utmost importance to the city and we are deeply sorry this incident occurred,” said the letter, signed by Jon Fortune, a Dallas deputy city manager.
Fortune also said in the letter the city would reach out again if officials determined that other types of personal information was accessed.
The delay in releasing details about the cyberattack has left the public in the dark about how they might be affected.
Connie Sanchez, a former City Council liaison who retired in January 2021 after 35 years, said she still receives health insurance through the city and had her identity stolen in June. Sanchez doesn’t know for sure if her case is linked to the city’s cyberattack, but she’s concerned that former employees like her who still have their personal information stored by Dallas’ municipal government could have also been at risk.
“I can’t help but wonder if that was the reason, because I’ve never had my identity stolen until the city was hacked,” said Sanchez, 59. “What makes me mad is that they are taking so long to notify people.”
Sanchez said her questions to city officials about whether retirees could have also been impacted by the cyberattack went unanswered. In June, Cuellar told the mayor and City Council members to not share any details of the attack or recovery efforts with the public. Elected leaders have met at least half a dozen times since May in closed session meetings to discuss the impact of the attack and to consult the city attorney’s office.
A new law will go into effect Sept. 1 that cuts the mandatory notice timeline to 30 days for organizations that have data breaches involving at least 250 Texas residents. Gov. Greg Abbott signed Senate Bill 768 into law on May 27. The exceptions will remain.
“As cybercrimes such as identity theft have been on the rise, 60 days is too long of a period before notification is required,” according to a statement of intent filed with the state Senate by Sen. Tan Parker, R-Flower Mound, who authored the bill. “Also, in instances of a mass data breach.”