More specific info, but still a lot we don’t know.
Dallas’ top information technology official says the city hasn’t found any signs yet that personal information from employees or residents have been leaked after a cyberattack last week.
Bill Zielinski, Dallas’ chief information officer, told council members Monday during a public safety committee meeting that monitoring is ongoing to see if any personal information stored by the city shows up elsewhere, such as on the dark web. If it does, the city plans to on the dark web. If it does, the city plans to directly contact people affected.
The city’s network is still being restored after last Wednesday’s ransomware attack, and city servers and devices may need to be replaced to make sure they aren’t corrupted, Zielinski said. He offered no timeline on when all impacted city services will be restored, said state and federal officials are in contact with the city as an investigation continues, and declined to give specific details related to the ransomware attack.
“The city cannot comment on specific details related to the method or means of the attack, the mode of remediation or potential communications with the party launching the attack,” Zielinski said. “Doing so risks impeding the investigation or exposing critical information that can potentially be exploited by the attacker.”
Zielinski said the city intentionally took electronic systems, services and devices offline after detecting the ransomware early Wednesday to prevent it from spreading.
See here and here for the background. Putting my cybersecurity hat on, everything said here is more or less normal and expected. It sounds to me like they are not paying any ransom but instead are restoring and rebuilding their affected assets. That takes longer, but it doesn’t put you into any kind of relationship with the attackers. I can’t tell for sure if they know (or reasonably believe) that personal data was exfiltrated or if they’re not sure. Notifying people who have been affected is the normal course of action, if needed. There are various services to monitor the dark web to look for the presence of this kind of data; I presume they are using such a service for this purpose. They may or may not have hired a third party firm to verify their systems are no longer compromised and to do a full incident report; they may have that capability themselves or already have a contract with a firm that does this kind of work for them as a part of business as usual.
Zielinski had a closed-door meeting with the Council, in which I presume he gave them much more detail. What I would want to know is 1) how exactly did this happen – we have the basic information, but we need to know how it went once the first machine was compromised, how it spread to other machines; 2) what security controls failed or were missing that could have stopped or minimized this; and 3) what did we learn from this so we can prevent a repeat occurrence – obviously, better employee training is key, but better blocking of the type of program used in the compromise and better endpoint detection and response could be on the agenda as well. Hopefully Dallas will share their experience with other cities, counties, school districts, and other entities that could learn from it. We all need to be in this together. WFAA and NBCDFW have more.
Pingback: Another Dallas ransomware update – Off the Kuff