The City of Dallas said on Thursday that hackers obtained the personal data of “certain individuals” from City servers in April and early May, opting not to specify whether the data belonged to City employees or ordinary residents.
In a press release sent to The Dallas Express, the City said, “While the investigation is ongoing, it has determined that an unauthorized third party accessed certain servers and downloaded some data from the servers between April 7, 2023 and May 4, 2023.”
As previously reported by The Dallas Express, City officials claimed a ransomware attack carried out by the cybercriminal group Royal affected multiple computer systems, leading to temporary disruptions of City services — including emergency response communications.
“On June 14, 2023 and in the weeks following, the investigation determined that files potentially containing sensitive information of certain individuals were accessed by the unauthorized third party, including full name, home address, Social Security number, date of birth, insurance information, clinical information, claims information, diagnosis, and other identifiers,” the City said, per the press release.
The City claimed that it was still unaware of any instances of identity theft or fraud stemming from the purported ransomware attack. It did, however, note that it would be offering “involved individuals” two years of free credit monitoring and identity theft protection services.
As previously reported by The Dallas Express, it was revealed that City Manager T.C. Broadnax emailed City employees and told them that employee information maintained by the City’s Department of Human Resources had been accessed by the purported hackers. However, the City’s most recent press release — with its lack of specificity — suggests the personal data of non-employees may have been accessed and downloaded.
The seeming lack of transparency on the part of the City has been an issue of concern for Dallas residents, with a plurality of respondents in a poll conducted by The Dallas Express indicating they think officials should be more forthcoming.
Dallas Police Association (DPA) President Mike Mata told The Dallas Express that he takes issue with how long it took the City to notify its employees that their data may have been exposed.
“That false sense of security created a long period of time that employees could have taken protective steps. Seems very disingenuous,” Mata said.
Such sentiments were echoed by the Dallas Fire Fighters Association (DFFA).
“Months have gone by since the initial ransomware attack on the City of Dallas and [City Manager] Broadnax repeatedly stated that no personal information was compromised, well, now he finally admits that was a lie and our personal data was stolen by hackers,” DFFA posted on social media on Thursday.
“Don’t know how long this council will tolerate his behavior and arrogance,” DFFA continued. “From the beginning the DFFA and DPA demanded protection only to be told that we had nothing to worry about. Time to pack up and go, Mr. Broadnax.”
The purported hackers reportedly threatened to publish the personal information of City employees.
“We will share here in our blog tons of personal information of employees (phones, addresses, credit cards, SSNs, passports), detailed court cases, prisoners, medical information, clients’ information and thousands and thousands of governmental documents,” wrote Royal on its dark web blog.
Before Broadnax’s July admission via email to City employees, the City repeatedly claimed that there was no evidence that personal data had been compromised.
In a May letter to Broadnax, Mata and DFFA President Jim McDade claimed the city manager’s office had misrepresented the extent first responder services were affected by the alleged ransomware attack in early May.
“Your office repeatedly stated that our operations were not affected in any way and that was flat out false … [T]he city manager’s office was warned in the past few years that the systems in place in Dallas were not sufficient and susceptible to attack and still nothing was done to both protect the city and its employees,” wrote Mata and McDade, as previously reported by The Dallas Express.
