The individuals who hacked the city of Dallas last October of 2023 were able to obtain the addresses, Social Security numbers, and additional personal details of almost 300 individuals beyond what had initially been made public, according to officials.
City officials now reveal that hackers who attacked Dallas had access to the addresses, Social Security numbers, and other personal data of almost 300 more individuals than initially disclosed. According to Catherine Cuellar, the city’s spokesperson, additional internal investigations identified 293 people, including residents and employees, whose information might have been accessed by the hackers. The city has taken steps to notify them through letters. This information was shared with The Dallas Morning News on Wednesday.
Dallas Cyber Attacks in 2023
The revelation contributes to the total number of individuals impacted by the data breach, surpassing 30,000. This information emerged after the Dallas City Council convened in a closed session on Wednesday to deliberate on the cyber attack in collaboration with the city attorney’s office. The council’s most recent executive session meeting on this matter was documented in late September.
The content of the closed meeting held on Wednesday remains unclear, as council members did not provide any information when they reconvened for the open meeting in the afternoon.
On August 9, the City Council approved the allocation of nearly $8.6 million to compensate vendors for hardware, software, incident response, and consulting services in light of the ransomware attack. However, the city has chosen not to disclose the specific details regarding the utilization of these funds.
The city challenged a public records requests, which sought information on the destination of the funds. Although the Attorney General’s Office authorized the release of some records, when the city furnished the information in December, it only disclosed the contract amounts while redacting the names of every vendor and their descriptions.
The single-page document detailing ransomware expenditures stated, “All goods and services were procured between May 3, 2023, and July 31, 2023,” with line items ranging from nearly $7,100 to $4 million.
Catherine Cuellar mentioned that the city’s IT department does not intend to seek additional approval for spending from the City Council beyond the $8.6 million already sanctioned.
The city’s reluctance to provide a breakdown of expenditure details is another instance of the limited information disclosed to the public regarding the 2023 attack, which caused disruptions to city computers and services for several weeks.
2023 Was a Terrible Year for Cyber Incidents in Dallas
In August, three months after discovering the attack, the city reported the data breach to the U.S. Department of Health and Human Services. The breach exposed personal information from 30,253 individuals in Dallas’ self-insured group health plans. During the same month, approximately 27,000 letters were sent, primarily to employees, former employees, and their relatives, explaining that names, addresses, Social Security numbers, medical information, and other details were exposed and potentially downloaded.
They also provided them with two years of complimentary credit monitoring. As of Tuesday, Catherine Cuellar stated that 13% of the notified individuals had enrolled in credit monitoring.
City officials reported that hackers utilized stolen online credentials to access the city of Dallas’ system in April of last year and pilfer files during a cyber attack.
The ransomware group Royal established a connection to a city server, gaining remote access to the system starting in April. Over about a month, Royal navigated through the city’s network, downloading nearly 1.2 terabytes of data through that server. In May, they initiated a ransomware attack, triggering the city’s alert systems.
According to city officials, the data stolen amounted to approximately 819,000 files stored by the city, impacting all of its 40-plus departments. The report identified at least 17 systems that were temporarily offline during the ransomware attack, including city fax and print services, police surveillance cameras, public safety file sharing, the building permitting system, library management services, fire station alert systems, police and fire mobile data computers, court-ordered warrant management system, and the ePay system for residents to pay their water bills and other departmental bills.
The exact quantity of data taken from city servers remains unclear. Although Royal has threatened to disclose city-stored information, Cuellar stated that as of Wednesday, the city has found no evidence of any leaked information.
City officials attribute the limited disclosure of incident details to an ongoing criminal investigation into the hacking. They have not confirmed whether any ransom has been paid to the hackers involved in the data breach. The FBI Dallas spokeswoman declined to comment on whether a criminal investigation is still ongoing.