The Dallas City Council approved more than $8 million Wednesday to pay “invoices due to various vendors” in response to a cyberattack that shut down multiple city servers earlier this year.
The allocation comes after several months of issues related to an attack initiated by a hacker group, which shut various city servers for weeks. Most recently, the city revealed that personal information for 26,212 people — including Social Security Numbers, medical records and addresses — had been compromised.
The city hired a third-party consultant to assess just how much and what kinds of data had been compromised, according to Deputy City Manager Jon Fortune. The city sent out letters to people potentially impacted — most of whom Fortune said were city employees or former city employees — late last week with information on what specific data may have been compromised.
The city will provide two years of credit monitoring offered by the city, he said. People who believe their information was compromised but have not received a letter via mail can call a help desk set up by the city specifically for this incident at 833-627-2708, between 8 a.m. and 8 p.m. CT.
“We are still evaluating the magnitude of those individuals who might have been impacted,” Fortune said. “If they haven’t received anything at this point, there’s no reason to be alarmed, but they can contact that number and get confirmation.”
City officials say a letter in the mail means that sensitive information has been accessed by a third party but is not an indication of identity theft. Fortune urged those who receive a letter to take advantage of credit monitoring and other resources offered by the city.
The FBI and Cybersecurity and Infrastructure Security Agency released an advisory warning about the hacker group, Royal, in September.
In early May, city officials said security monitoring tools identified a likely ransomware attack that compromised multiple local servers and knocked the DPD website offline. A few weeks later, Royal threatened to leak personal information accessed as part of the attack on the city.
The group said they would upload information including Social Security Numbers, names and addresses to their blog.
A statement from city officials released at the time noted there was still “no evidence or indication that data” had been compromised.
In the following weeks, city officials asserted that personal information had not been accessed by the hackers. But last week, a city spokesperson revealed that the information of current and former city employees — and possibly members of the public — had been leaked.
The spokesperson also confirmed the city knew about the compromised personal data as far back as June.
Chief Information Officer Bill Zielinski is expected to provide an update to the Dallas City Council on Sept. 6.
Got a tip? Email Nathan Collins at ncollins@kera.org. You can follow Nathan on Twitter @nathannotforyou.
KERA News is made possible through the generosity of our members. If you find this reporting valuable, consider making a tax-deductible gifttoday. Thank you.
