Dallas information and technology officials say a ransomware attack that disrupted city services — and jeopardized thousands of individuals personal information — started in early April. The city first alerted the public about the attack nearly a month later.
That’s according to the department’s report about the incident, briefed to the city council at Wednesday’s meeting. The briefing was delayed a week after council members postponed the agenda item after a late-night budget amendment debate.
The Royal ransomware group's attack shut down city servers and services for weeks. During the initial part of the city’s investigation, officials maintained that no personal information had been compromised because of the attack.
City officials revealed in early August — months after the initial attack — that wasn’t the case. Over 1 Terabyte of information was leaked by the ransomware group.
“After review of system log data by both city and external experts, the bad actors had gained initial access to city systems using stolen credentials beginning on April 7, 2023,” Chief Technology and Information Security Officer Brian Gardner said.
Gardner says over the course of nearly a month, the Royal group surveilled city systems and started gathering information. The compromised data is just a fraction of the information stored on city servers and officials say a large portion of that information is not sensitive.
But, over 30,000 former and current city employees — and members of the public — had information leaked.
“The city is a logical choice for bad actors wishing to initiate and deliver a cybersecurity attack,” Gardner said.
Some council members wanted to know how the department was going to move forward — and why some of the protective measures mentioned in the report, weren’t already in place.
“Many of the steps you are proposing to take, though, strike me as closing the barn door after the horse has escaped,” District 14 Paul Ridley said during the meeting.
Other members questioned why information officers originally said that personal information had not been compromised, only to then reveal that it was.
“There are aspects of that that I cannot answer,” Chief Information Officer Bill Zielinski said. “As the forensics investigation progressed and we gained more information…that’s what allowed us to get to a point of fidelity around what we believed was accessed.”
Officials say that it was difficult trying to figure out how to keep city services running, while trying to flush the hackers out of their systems.
“The biggest challenge that we faced was coordination,” Gardner said.
Zielinski says the Royal group’s site — hosted on what’s known as the “dark web” — hasn’t been active recently.
“That website has actually been shut down for several months now,” Zielinski said.
Officials say the federal investigation about the attack is still ongoing – and would not answer any questions as the specifics of how city credentials were stolen by Royal.
The city is now offering free credit monitoring services for individuals whose information was compromised.
“Unfortunately, I think we along with all other governmental entities will continue to be a target of these kinds of attacks,” Zielinski said.
Got a tip? Email Nathan Collins at ncollins@kera.org. You can follow Nathan on Twitter @nathannotforyou.
KERA News is made possible through the generosity of our members. If you find this reporting valuable, consider making a tax-deductible gifttoday. Thank you.
