IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

No Personal Data Leaks in Dallas Ransomware Attack, CIO Says

The city works to restore all systems as the region’s IT leaders follow developments.

Dallas’ top information technology official says the city hasn’t found signs that personal information from employees or residents has been leaked after a cyber attack last week.

CIO Bill Zielinski told councilmembers Monday during a public safety committee meeting that monitoring is ongoing to see whether any stored personal information shows up elsewhere, such as on the dark web. If it does, the city plans to directly contact those affected.

The city’s network is being restored after the May 3 ransomware attack, and city servers and devices may need to be replaced to make sure they aren’t corrupted, he said. He offered no timeline on when all impacted city services will be restored.

State and federal officials are in contact with the city as an investigation continues, and Zielinski declined to give specific details related to the attack.

“The city cannot comment on specific details related to the method or means of the attack, the mode of remediation or potential communications with the party launching the attack,” Zielinski said. “Doing so risks impeding the investigation or exposing critical information that can potentially be exploited by the attacker.”

He said the city took electronic systems, services and devices offline after detecting the ransomware early May 3 to prevent it from spreading.

Monday marked the first time outside of news releases the city publicly addressed the infiltration that caused widespread system outages. The attack disrupted several city departments, including causing the municipal courts to close; stopping residents from paying their water bills online; and forcing first responders to use radios, pens and paper to respond to and keep track of emergency calls.

Zielinski said the city couldn’t accept new applications for building permits until Sunday.

The city identified a group called Royal as behind the ransomware, which is a type of software used to threaten to publicly release data stored by organizations unless a payment is given. One common way such attacks happen is through phishing campaigns that trick people into downloading malicious software or sharing their username and password.

City and police department websites were set to be restored along with computer-aided dispatch. According to the city, 1,900 police and fire mobile devices are being tested to make sure they can safely be used and the dispatch system could be fully restored by this week.

The breach comes just months after Royal targeted the Dallas Central Appraisal District (DCAD), forcing it to pay $170,000.

As cybersecurity experts in the city fight to restore services, the episode has caused other cities to look at their own security efforts.

“Cybersecurity is a 24/7/365 effort that includes adjusting from what we learn from others’ situations to further our own protection,” said Sam Bradford, Mesquite’s IT director.

Experts have described Royal as a sophisticated “gang” that gains access to victim networks through phishing about two-thirds of the time. They say it’s one of many “opportunistic” groups who encrypt data and threaten to publicly release it unless a ransom is paid.

It’s not clear whether the city will pay Royal, but experts said it’s not wise to do so as attackers can come back and may not decrypt all of the data.

“If you pay a ransom to one group or one gang, others might come back in a couple months,” said Jess Parnell, vice president of security operations of Virginia-based Centripetal Networks, a cybersecurity company.

Cities across North Texas are using Dallas as a lesson.

Bryce Carter, Arlington’s CISO, said it’s important for cities to know “what’s impacting those close to us” to know where to focus their own defenses.

He said Arlington has devoted more resources to cybersecurity in recent years to limit the scope and blast radius of online attacks.

“The only way we can all be resilient is if we can work and collaborate together as a collective force,” Carter said. “If we can’t do that, then we’re all operating kind of in silos, which means we’re basically expelling way too much energy.”

Carter said local governments nationwide are beginning to realize cybersecurity investments are necessary to deliver services to residents.

“It’s really unprecedented risk when it comes to local governments, and it can be difficult to have some resilience because budgets are generally limited,” he said. “That’s not something 20 years ago we ever had to deal with.”

Denton spokesperson Stuart Birdseye reiterated the sentiment, adding officials there are keeping a close eye on the environment.

He said Denton has processes in place for cyber attacks, but also relies on employees being diligent in how they use email and technology to prevent exploits.

“Once we hear what the official cause is [in Dallas], we will be able to focus our attention on those areas should they also be in our environment,” Birdseye said.

Irving spokesperson April Reiling said the city partners with a vendor to constantly monitor and respond to cybersecurity threats.

Bradford, the Mesquite IT director, said officials there are reminding staff to stay vigilant after Dallas’ systems were compromised.

“We hope that Dallas is able to discover the root cause of the attack, remove it 100 percent from their systems and return to their normal operations for the sake of their citizens and staff,” Bradford said.

©2023 The Dallas Morning News. Distributed by Tribune Content Agency, LLC.