The Dallas ransomware attack exposed private data for thousands of people. Now what?
The ransomware attack announced by the city of Dallas in May compromised the personal data of at least 26,212 people. The mandatory report the city sent to the attorney general’s office earlier this month — made public Aug. 7 — revealed information compromised in the breach included names, addresses, Social Security numbers, medical records and more.
Affected city employees said they received letters giving notice of the personal data leak and offering free credit monitoring and identity theft insurance for two years.
Murat Kantarcioglu is a computer science professor at the University of Texas at Dallas and director of the school's Data Security and Privacy Lab. He's studied security and privacy issues in relation to data mining, machine learning, data security and health care.
He spoke with KERA about some of the long-term effects this cyberattack might have on the tens of thousands of people affected.
This interview has been edited for length and clarity.
Can you talk about the motivation behind getting this kind of information and what effect this can have on a person who's had their information taken?
Kantarcioglu: The hacker group may want to sell this data or leverage this data for identity theft and/or other cyber crimes. So therefore, mainly there is a motivation for making money out of this data.
In some scenarios, depending on the local government type and so on, the data itself may be valuable to foreign governments. For example, you will know all the police officers — maybe their addresses, you know, that may give you some advantage with respect to the city's posture for certain type of things. So, that information may be valuable, again, for various purposes.
City officials confirmed they knew personal information could have been accessed in the breach as early as mid-June. Can you explain from a cybersecurity standpoint why the city might be cautious with the info that it gives out to other governments as well as to the public?
Kantarcioglu: First of all, of course, if you disclose this information publicly, then the hackers or attackers are aware of the fact that you know what they have done. So, you may take time to disclose it so that you can understand the extent of the attack.
And the second thing is that you may want to wait and analyze all the systems, logs, etc. so that you are absolutely sure that the attack happened and you know whose data has been stolen, because at least there's this argument that you don't want to prematurely warn people or prematurely go to them and say that your data has been hacked. If it hasn't been, then you would cause an unnecessary, maybe, concern in those notified people. So, there is the argument that you may want to take your time to make sure that the data has been leaked.
But a lot of people are still saying that they wish the city had been more transparent about what was going on, what information was leaked. The city sent a letter to city employees, making them aware of what personal information of theirs had been breached, giving them free credit monitoring through Equifax. But a lot of people are calling for more. What is it that the city can be doing more to prevent something like this from happening — especially on this scale — again?
Kantarcioglu: To me, based on the previous report, more investment in the technology process and the people education seems to be needed going forward. And because of the personal nature of this data, it may be easier to claim to someone, maybe you are calling from the insurance company because you can say that, "Oh, with respect to your operation two years ago, your COVID diagnosis done six months back, we realized this and that." So, this data could be really valuable for hackers for some time, maybe even longer than two years.
KERA News is made possible through the generosity of our members. If you find this reporting valuable, consider making a tax-deductible gift today. Thank you.