(844) 627-8267
(844) 627-8267

Number affected in Dallas ransomware attack expected to grow, city says | News | #ransomware | #cybercrime

A week after Dallas revealed 26,212 people have been impacted by the city’s ransomware attack, officials said it’s likely an ongoing review will reveal more people had their personal information exposed. Officials also said it could take at least several months to determine the full scope and cost to taxpayers.

Deputy City Manager Jon Fortune and Chief Information Officer Bill Zielinski told The Dallas Morning News the city is working with a forensic firm on what happened and what data was breached. Hackers accessed city servers starting April 7, but the city wasn’t alerted to ransomware in its system until May 3. Starting last week, the city sent around 27,000 letters mostly to employees, former employees and their relatives saying names, addresses, Social Security numbers, medical information and other details were exposed and possibly downloaded. At least one City Council member — Jaynie Schultz — told The News of receiving a letter.

“There will be a second phase of a deeper data dive that will be occurring over the next couple of months,” Fortune said. “By fall, there will likely be a round two of notifications that will include other individuals that will receive notices.”

More details have been released in recent weeks about the scope of the ransomware attack, what city officials know about the incident and when they knew it. But a point of contention for several people impacted is that city officials revealed on Aug. 3 that they knew personal information was accessed by hackers as of June 14. The earliest the city gave any public indication was a July 18 email from City Manager T.C. Broadnax to employees saying some human resources department data was exposed. They believe the city had at least a moral obligation to keep the public up to date on what they knew and when.

“We deserved to know sooner,” said Connie Sanchez, a retired city employee who received notice last week that personal information from her, her husband and their adult son was at risk. “We’re trusting you to keep our information secure. If you know that’s not the case, don’t tell me a month or two after the fact — tell me right now. Even if there’s a slim chance.”

Sanchez, who retired in January 2021 as a City Council liaison after 35 years of city service, said she discovered two credit cards opened in her name in early June. She suspected her personal information may have been stolen from the city since her family still receives health insurance through the municipality. She said she’d never experienced identity theft before.

Sanchez, 59, said she was frustrated when her emails to Broadnax and City Council members wondering if retirees could have been impacted by the data breach went unanswered. She said her family is planning to enroll in a free two-year credit monitoring service being offered through the city.

“At the end of the day, this whole thing has been disappointing,” Sanchez said. “It’s hard not to feel like they just didn’t care to tell us as soon as possible.”

Broadnax did not responded to multiple emails this week from The News with questions regarding the ransomware attack. He acknowledged via text receiving the questions. He declined comment when reached by phone.What we ‘knew to be true at that time’

Fortune said determining who was impacted, what specific data had been at risk and who to notify were key factors in the city figuring out when to inform people whose personal information had been exposed. A blanket statement saying city data had been accessed “doesn’t meet the legal requirements that we have to abide by,” he said.

“We provided information based on the information that we had and knew to be true at that time. To indicate that we could have done something sooner with a lens of retrospect, it’s easy to kind of jump to that conclusion,” Fortune said. “But if you go back to the moment and where we were at that time and what we knew at that time, it would have been, in my opinion, premature to indicate to people that there’s a problem and you need to do something.”

Fortune said that by June 14, the city still didn’t know when hackers first accessed stored data and didn’t have a process in place to offer free credit monitoring to everyone who could have been impacted. He said it wasn’t until Dallas officials further investigated the breach that they determined hackers had access to city data between April 7 and May 4, rather than it just occurring on May 3, when it was discovered by the city.

“I empathize and certainly appreciate people’s frustration,” Fortune said. “We are all frustrated by being in this situation.”

Zielinski said the city had several cyberthreat monitoring systems in place before the ransomware attack. He chalked up Dallas being hit as a symptom of being targeted by skilled cybercriminals.

“The reality is these are well-funded, sophisticated hackers who do this for a living, and they were able to elude our detection,” said Zielinski, who oversees the city’s information and technology services department.

Zielinski declined to reveal how the hack occurred, how much city equipment had to be replaced and other specific questions about the attack, saying some of those details would be revealed in a report on the cyberattack that will be released in September. He said the City Council is scheduled to be briefed on the after-action report Sept. 6.

“We’re still doing all the review work, and I don’t want to get out in front of that and say something that’s subsequently changed before the report is finalized,” Zielinski said.

He said 99% of the city’s network has been restored since the ransomware attack.

‘Good news can wait’Dallas officials first told the public about the attack May 3. They have cited a criminal investigation as a reason for providing few details in the months since.

It’s the largest data breach disclosed by a Texas city to the attorney general’s office this year, and the tally indicates that the impact reaches far beyond Dallas’ roughly 13,400 employees.

It doesn’t appear to be the largest breach reported in the country this year. Hillsborough County in Florida, for example, notified more than 70,000 people in July that their personal information was at risk due to a breach involving files kept by their health departments.

Fortune and Zielinski told The News they were among recipients of letters from the city saying their data was exposed. All the letters are signed by Fortune.

“I’ll admit, it is sobering when you get the letter,” Fortune said of being notified like everyone else.

Cybersecurity and legal experts differ in opinion on whether Dallas correctly handled notifying the public.

Matthew Yarbrough, a former assistant U.S. attorney who is a private lawyer with Michelman & Robinson in Dallas, said he believes the city should have notified employees and residents that hackers had access to data as soon as they knew.

Because information can be shared and spread quickly on the dark web, “when you know there’s a chance something could happen, you probably shouldn’t sit on that information,” Yarbrough said.

“You can be clear that you don’t have all the details yet and you’re investigating to know more. But we do know we have Social Security numbers and we know data has been accessed,” he said. “I mean, that’s what you’re here for, right? To protect our residents — not just from physical crime, but also from cybercrime.”

Yarbrough said real-time updates can help with public trust. He noted the city provided several public updates after the ransomware attack was announced on the status of police, fire and library services to let people know if first responders’ computer-aided dispatch system could be restored or when returned library books could be processed.

“You can tell me about checking out library books any day, but my Social Security possibly getting out is a whole different ballgame,” Yarbrough said. “Good news can wait. The bad news, you run to the podium and you start screaming it out loud so people can know and make an informed decision as soon as possible.”

Mitch Thornton, executive director of the Darwin Deason Institute of Cyber Security at Southern Methodist University, said he believes the city could have had legitimate reasons for not immediately issuing mass notifications.

Undergoing the forensic analysis, for example, could help prevent the city from causing unnecessary panic, he said.

“There’s a lot of variables behind the scenes that people are not aware of,” Thornton said. “They don’t want to alert people that they could possibly be victims and then find out later they aren’t.”

Murat Kantarcioglu, a computer science professor at the University of Texas at Dallas, said advice from the city’s legal counsel and law enforcement could also play a role in when information is publicly released related to a ransomware attack.

“Sometimes when they [investigate] with the FBI or law enforcement, they may want to hold on to it to further investigate the activity of the hacker group,” Kantarcioglu said. “If you notify the individuals, of course, the hacker group will be aware of it.”

Local governments can be vulnerable to hackers because many either don’t have the resources or decide not to spend large amounts on cybersecurity due to priorities that are more visible, like parks and police and fire departments, Kantarcioglu said.

Dallas budgeted $110 million for its IT department in data management last fall, and Broadnax recently proposed increasing the budget this year to almost $132 million.

Last year, the IT department’s data management budget was among the top-funded items in the annual spending plan, just under the $111 million parks and recreation budget. The proposed IT budget increase, if approved, would put it above the $120 million earmarked for the parks department this year.

“[Local governments] are easier targets for hacker groups because they couldn’t always make these types of investments,” Kantarcioglu said. “But I hope from now on, all these things show that you have to have these investments because these hacks are much more common now.”

The Dallas City Council on Wednesday approved allocating $8.6 million in payments in response to the ransomware attack. The planned payments would be to vendors for replacing and installing computers and mobile devices compromised in the hack, for the credit monitoring services being offered by the city and other expenses.

‘It’s all about transparency’The city has previously identified ransomware group Royal as responsible for the breach. The group threatened in a May 19 blog post to publicly share employees’ addresses, Social Security numbers, medical information and other information, but had not appeared to have done so as of Friday. It isn’t clear how much data was taken from city servers.

Dallas’ municipal government isn’t alone in being hit with a ransomware attack. Security and privacy research firm Comparitech found a little more than 390 ransomware attacks have targeted U.S. government organizations between January 2018 and July 2023. The firm’s analysis found the attacks affected an average of more than 21,300 government-held records, and the average ransom paid by those groups was more than $525,000.

It’s not clear if Dallas paid any ransom. City officials have declined to say.

San Bernardino County in Southern California announced in May it made a $1.1 million payment to hackers to settle a ransomware attack on the sheriff department’s computer network. Oakland is facing several class-action lawsuits after its electronic database was hit with a ransomware attack in February.

Jim McDade, president of the Dallas Fire Fighters Association, said his members are meeting with attorneys to discuss possible legal action against the city.

“It’s all about transparency,” McDade said. “They should have been proactive from the beginning in informing us of the situation and offering ways to get us protection, not waiting until it was convenient for them.”

McDade said he and his 10-year-old son received letters from the city saying their personal information was exposed.

Yarbrough said lawsuits against the city over the hack are possible, but it could be difficult to win a case if it goes to trial. In addition to having to prove that they were the victims of identity theft, potential plaintiffs would likely have to prove that any harm they incurred was directly linked to Dallas’ cyberattack and that the city was negligent with their personal information.

“I think it’d be hard for the city of Dallas to argue that they weren’t aware of the threat of ransomware before the attack,” he said. “But how do you prove bad actors didn’t just get your information from some other data breach, like the one from Home Depot several years ago?”

Yarbrough mentioned someone opened a Target credit card in his name within the last 30 days. The applicant had at least Yarbrough’s name, address, driver’s license number and Social Security number. He said close to $500 had been spent on the card before he was able to shut down the account.

Yarbrough said he doesn’t know how his personal information was obtained.

Scott Cole, an attorney representing Oakland employees in the class-action lawsuit, said a cybercrime doesn’t necessarily mean a legal liability.

In Oakland’s case, it was determined hackers leaked hundreds of gigabytes of data. He said Oakland police officers have been concerned people who’ve been arrested by them could obtain their addresses and retaliate against them and their families.

“Is there liability across the board for government entities? There’s just not,” Cole said. “You have to look at how the information was kept, how long it was kept, where it was kept, was it sequestered, was it encrypted, different levels of information are going to require a different treatment.”

Source link

National Cyber Security