The ransomware attack hit May 3 and though some functions, like filing a complaint to 311 through the city’s app or residents paying their water bill online, have returned, other functions are still impacted.
The city libraries are still not able to process returned books, the police department isn’t able to access some data, and the municipal court is unable to hold hearings or process payments for citations.
“Progress is continuing with focus on public safety and public-facing services, and as departments’ service is restored it will be shared via city channels,” city spokeswoman Jenna Carpenter told The Dallas Morning News on Wednesday.
The impacts have also included City Council meetings where the government body has been unable to use the electronic voting system when deciding on agenda items. The City Council met in closed session Wednesday for at least the fourth time since the May 3 cyber attack with information technology officials to discuss the city’s network security and other issues related to the incident.
The city in mid May said it could take several more weeks or months to fully restore the system from the ransomware attack, which includes reviewing and cleaning servers and devices to make sure they are safe to use. Ransomware is often used to extort money from organizations by threatening to block access to files or release confidential information unless money is paid.
City officials have declined to say if the city has been issued any ransom or to release specific details related to the attack, citing an ongoing criminal investigation involving the FBI.
The city said several servers were compromised with ransomware early May 3 and that it intentionally took others offline to prevent the bad software from spreading. During a May 8 city council committee meeting, Chief Information Officer Bill Zielinski said the city put in preventative measures that helped limit the effect of the ransomware attack, but city officials haven’t elaborated on what those were.
Royal, the hacker group suspected of being responsible for the Dallas breach, threatened last week to release personal information stored by the city. City officials have maintained since the attack occurred that they’ve found no evidence of information kept on employees and residents have been leaked.
The threat has led the Dallas Police Association and Dallas Fire Fighters Association to send a letter to City Manager T.C. Broadnax demanding the city provide free identity theft monitoring for all of its members for five years.
“We feel that this is necessary and the least the city can do to insure our personal financial information is not compromised” said the May 22 letter.
The city has not disclosed how much the attack has cost taxpayers so far and whether insurance will cover any of the financial hit.
The City Council last September approved a $10.4 million contract with McGriff Insurance Services to secure insurance policies to cover cyber liability, as well as property, flooding, general liability, and other coverage for the year.
Bhavani Thuraisingham, a University of Texas at Dallas computer science professor, said typically ransomware attacks happen when hackers trick someone into sharing personal data, which is called phishing. She said basic cybersecurity includes encrypting sensitive data, but mentioned that isn’t foolproof.
“Bad actors could still get the information, especially if you’re careless with the data, and hold it hostage,” said Thuraisingham, founding director of the school’s cybersecurity research and education institute. “That’s why it’s important to have several safeguards and invest in security measures.”
Matthew Yarbrough, a former assistant U.S. attorney who is now a private lawyer with Michelman & Robinson in Dallas, said smaller or midsize organizations are more susceptible to ransomware cyber attacks due to their lack of resources, technology and staff. But large organizations like Dallas could also be targeted because of the perception that it would have enough money to pay a ransom and because of the amount of data it stores.
As long as the data is not exfiltrated and doesn’t leave the city’s system, the city could possibly avoid a lawsuit, Yarbrough said.
“An unauthorized disclosure of residents’ data is where you see a lot of class action data breach cases,” he said. “But there are sophisticated groups like Royal who will go in and view the data and that in itself could be an unlawful disclosure. And if they happen to follow through with the threat of posting the data publicly, then there’s no doubt about it.”
©2023 The Dallas Morning News, Distributed by Tribune Content Agency, LLC.
