Computer hackers accessed the personal information of at least 26,212 Texans in a ransomware attack on the city of Dallas, according to an official disclosure made public Monday, three months after the breach.
The city’s notice to the Texas Attorney General’s Office says the data breach included names, addresses, social security numbers, medical information and health insurance information. The information was published Monday. The city said the details were reported to the attorney general’s office on Thursday.
The disclosure, which is required by law, marks the most detailed information yet about the scope of the cyberattack, which has hampered city services in various ways for months. Dallas officials first told the public about the attack on May 3. They have cited a criminal investigation as a reason to provide few details in the months since.
It’s the largest data breach disclosed by a Texas city to the attorney general’s office this year, and the tally indicates that the impact reaches far beyond Dallas’ around 13,400 employees.
The notice was published 97 days after the city first disclosed the attack. Catherine Cuellar, the city’s communications director, said Tuesday that Dallas delayed reporting to the attorney general’s office because the city’s initial investigation of the breach and determining the sensitive information that was accessed didn’t end until late July.
“The investigation and data review process remain ongoing,” Cuellar told The Dallas Morning News.
State law requires organizations to disclose data breaches to the attorney general’s office no more than 60 days after discovering it happened. There are a few exceptions.
Notification can be delayed at the request of law enforcement if investigators believe notice could hamper a criminal investigation. It can also be delayed to determine the scope of the breach and “restore the reasonable integrity of the data system,” according to the law.
It wasn’t until last week that the city told the public that hackers could have been downloading personal data from city servers between April 7 and May 4. Dallas officials also say they knew by June 14 that hackers had accessed personal information stored on city servers, but city officials did not disclose that fact until July 18 when City Manager T.C. Broadnax sent an email to city employees saying some human resources department data was among information exposed during the ransomware attack.
A copy of an Aug. 3 letter sent to a city employee, obtained by The News, also says people’s birth dates and medical diagnoses may have been among the sensitive information stolen. The letter sets a Nov. 30 deadline to enroll in the credit monitoring, which would include up to $1 million in identity theft insurance coverage.
See here for my last update back in May. An earlier version of this story, before the 26,000 number had been confirmed, gave a timeline of events; there wasn’t much since that May update except for some teases that there was personal data involved in the attack. I suppose the good news is that the threat group still hasn’t published anything, but that doesn’t mean that they haven’t sold what they harvested. It just means that only those within their network would have access to it at first.
None of this is good, and it’s why I’ve banged on this drum so much lately. A law passed this session would shorten the reporting time for data privacy incidents like this from 60 days to 30, but as you can see there still will be instances where that deadline goes by. The problem is that these attacks are lucrative, and as noted there are a lot of easy targets out there. If you don’t want your city or county or school board to be among them, you’ve got to raise some hell about it. You don’t know when it might be too late.