Update on Ransomware Incident & Personal Data Protection

Update on Ransomware Incident & Personal Data Protection

Aug. 3 Update:

Notice of Data Event

The City of Dallas is providing notice of a recent data event that may impact the privacy of certain individuals’ sensitive personal information. While the investigation into the incident remains ongoing, this page will share information about the incident and the steps the City has taken to respond.

What Happened?

On May 3, 2023, we discovered suspicious activity in our network environment. We immediately responded to contain the threat and launched an investigation with the support of cybersecurity professionals. Through the investigation, we learned that an unauthorized third party accessed certain servers and downloaded some data from the servers between April 7, 2023 and May 4, 2023. We have conducted an extensive review process to analyze the contents of the files accessed by the unauthorized third party to determine what, if any, sensitive information was contained within them. On June 14, 2023 and in the weeks following, we determined that the accessed files contained sensitive information of certain individuals.

What Information Was Involved?

Our investigation to date has indicated that certain individuals’ sensitive personal information, including full name, home address, Social Security number, date of birth, insurance information, clinical information, claims information, diagnosis, and other identifiers, was impacted, which varied from person-to-person. Our teams remain hard at work to understand the full impact of the incident and will contact affected individuals if the investigation shows that additional elements of their sensitive personal information were impacted.

What We Are Doing.

We take the security of information in our care seriously. Immediately following the incident, we engaged cybersecurity professionals to aid in our investigation and took steps to identify and remediate the cause of the incident.

While we are unaware of any identity theft or fraud as a result of this event and our investigation remains ongoing, we are offering affected individuals a complimentary two-year membership in Equifax™ Complete Premier.  Equifax™ Complete Premier is completely free to you and enrolling in this program will not hurt your credit score.  The choice to enroll is up to you.  Follow the steps outlined in this letter, using the activation code included on the top right of the enclosed Steps You Can Take to Protect Personal Information, to enroll in this free service offering.  Equifax™ Complete Premier includes 24 months of credit monitoring, up to $1,000,000 identity theft insurance coverage for certain out-of-pocket expenses resulting from identity theft, and fully managed identity theft recovery services.  This includes access to WebScan, which monitors underground websites, chat rooms, and malware to identify trading or selling of certain enrollee personal information.  With this protection, Equifax also will help you resolve issues if your identity is compromised. We encourage impacted individuals to activate these services, as the City is not able to act on your behalf to activate them for you.

What You Can Do.

Additional services and resources can be found below in the section titled: Steps You Can Take to Protect Personal Information. This resource explains precautionary measures you can take to protect your sensitive personal information, such as placing a Fraud Alert and Security Freeze on your credit files and obtaining a free credit report. We encourage you to review this information. Additionally, you should always remain vigilant in reviewing your financial account statements and credit reports for fraudulent or irregular activity on a regular basis.

For More Information.

If you have any questions regarding this incident or if you believe you are affected but have not received a letter by August 17, 2023, the City of Dallas has established a dedicated toll-free response line to respond to questions at 833-627-2708.  This response line is staffed with professionals familiar with this incident and knowledgeable on what you can do to protect against misuse of your information.  The response line is available Monday through Friday, 8 am to 8 pm Central Time, excluding major U.S. Holidays.

The privacy and security of your information is important to us, and we sincerely regret any inconvenience or concern this incident may cause you.

Steps You Can Take To Protect PERSONAL Information

1.            Obtaining a Free Credit Report.

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies.  Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

2.            Placing a Fraud Alert on Your Credit File.

Whether or not you choose to use the complimentary 24-month credit monitoring services, we recommend that you place an initial one-year “Fraud Alert” on your credit files, at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

EquifaxP.O. Box 105069Atlanta, GA 30348https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/(800) 525-6285 Experian P.O. Box 9554Allen, TX 75013https://www.experian.com/fraud/center.html(888) 397-3742 TransUnion LLCP.O. Box 2000Fullerton, PA 92834-6790https://www.transunion.com/fraud-alerts(800) 680-7289

3.            Consider Placing a Security Freeze on Your Credit File.

If you are very concerned about becoming a victim of fraud or identity theft, you may request a “Security Freeze” be placed on your credit file, at no charge. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

Equifax Security Freeze       P.O. Box 105788Atlanta, GA 30348https://www.equifax.com/personal/credit-report-services/credit-freeze/1-800-349-9960 Experian Security Freeze    P.O. Box 9554Allen, TX 75013http://experian.com/freeze1-888-397-3742 TransUnion Security FreezeP.O. Box 160Chester, PA 19016http://www.transunion.com/creditfreeze1-888-909-8872

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security Number and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. As is explained in greater detail below, you will need it if you choose to lift the freeze.

If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name or to commit fraud or other crimes against you, you may file a police report in the city in which you currently reside.

If you do place a security freeze prior to enrolling in the credit monitoring service as described above, you will need to remove the freeze in order to sign up for the credit monitoring service. After you sign up for the credit monitoring service, you may refreeze your credit file.

4.            Additional Helpful Resources.

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at https://www.identitytheft.gov/#/, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

As noted above, you may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting Act.

The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number (PIN), password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place. To remove the freeze or to provide authorization for the temporary release of your credit report, you must contact the consumer reporting agency and provide all of the following:

  1. The unique personal identification number, password, or similar device provided by the consumer reporting agency;
  2. Proper identification to verify your identity; and
  3. Information regarding the third party or parties who are to receive the credit report or the period of time for which the credit report may be released to users of the credit report.

A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request.  A consumer reporting agency shall comply with the request within fifteen minutes of receiving the request by a secure electronic method or by telephone.

A security freeze does not apply in all circumstances, such as where you have an existing account relationship and a copy of your credit report is requested by your existing creditor or its agents for certain types of account review, collection, fraud control, or similar activities; for use in setting or adjusting an insurance rate or claim or insurance underwriting; for certain governmental purposes; and for purposes of prescreening as defined in the federal Fair Credit Reporting Act.

If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, with enough advance notice before you apply for new credit for the lifting to take effect. You should contact a consumer reporting agency and request it to lift the freeze at least three business days before applying.


July 24 Update:

Our investigation continues to progress, but we recently learned that some benefits-related information maintained by the City’s Human Resources department was accessed by the unauthorized third party responsible for this ransomware incident. The City will notify all impacted individuals whose information may have potentially been affected.

We continue to make progress in our recovery from the May 3 ransomware incident affecting our city. Our systems are more than 97 percent restored and we continue to prioritize restoration of our city services. We appreciate the community’s support, and remain grateful to our team for their hard work throughout our response to this incident.

We know there have been questions as to the impact of this incident and what, if any, sensitive data may have been affected as a result. Our teams remain hard at work to understand the facts of the situation and want to ensure that if the investigation determines that individuals’ sensitive information was involved in this incident, we will notify those individuals directly and provide resources to help protect their information in accordance with applicable law.

While our investigation remains ongoing, there are steps we can all take to help keep our information secure. We wanted to share some best practices you may choose to consider:

· It is always advisable to regularly review and monitor your accounts and statements closely. If you detect any suspicious activity on an account, you should promptly notify the institution and/or the company with which the account is maintained.

· It is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity over the next 12 to 24 months. If you see unauthorized charges or activity, please contact your financial institution immediately.

· You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228.

· You may consider placing a fraud alert on your credit report. A fraud alert is free and will stay on your credit report for one (1) year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any new accounts in your name. To place a fraud alert on your credit report, contact any of the three national credit reporting agencies. Additional information is available at www.annualcreditreport.com.

Thank you all for your patience and understanding. We will continue to share relevant updates as appropriate as our investigation progresses.

Share this: