City officials say files containing sensitive information — including Social Security numbers, insurance and even medical records — were accessed by “an unauthorized third party" as part of the May 4 ransomware attack.
The revelation comes after weeks of assurances from the city that no personal data had been compromised.
A Dallas spokesperson confirmed the city knew that personnel information was likely compromised during the attack as early as June 14 — almost a month and a half ago.
“The City has taken steps to identify and remediate the cause of the incident and encourages individuals to be vigilant in reviewing their financial statements and credit card reports,” the press release stated. “The city has also established a dedicated response center for those affected to send questions and receive assistance.”
For the month of July, no new updates on the status of the data had been released. Thursday's press release — sent to media organizations via email — was the first indication that sensitive information was compromised.
But appended to the bottom of a similar statement outlining the attack on the city's website was an update from July 24:
"Our investigation continues to progress, but we recently learned that some benefits-related information maintained by the City’s Human Resources department was accessed by the unauthorized third party responsible for this ransomware incident. The City will notify all impacted individuals whose information may have potentially been affected."
In May, a few weeks after the initial attack, the hacker group Royal threatened to leak sensitive information via their blog. At the time, city officials released a statement saying they were aware of the threat.
In late June, the Dallas City Council approved a $3.9 million cybersecurity contract, with little discussion. The contract authorized the city manager to pay the consulting group Netsync for “support of a threat and anomaly detection system” for the city’s IT department.
City officials say they have started reaching out to individuals who were potentially affected by the ransomware attack and are offering resources.
“Although the City is not aware of any identify theft or fraud resulting from this incident, it will provide involved individuals with two years of free credit monitoring and identity theft protection,” the press release said.
Got a tip? Email Nathan Collins at ncollins@kera.org. You can follow Nathan on Twitter @nathannotforyou.
KERA News is made possible through the generosity of our members. If you find this reporting valuable, consider making a tax-deductible gifttoday. Thank you.
