The Royal ransomware group compromised the healthcare information of 30,253 self-insured Dallas city employees during the May 3 ransomware attack, raising questions on why news of the theft was only recently made public.
On May 3, 2023, the city of Dallas experienced a ransomware attack from the Royal ransomware operation, a group that has actively been targeting educational institutions and healthcare infrastructure since Sept. 2022. The attack temporarily brought down city systems for the Dallas Police Department and Fire Rescue, including the 911 line. Although there were threats by Royal to share Dallas employees’ personal information, as late as June 1, Dallas officials had not indicated that any information was compromised during the data breach. A report filed with the U.S Department of Health and Human Services shows that on Aug. 3, the city reported a breach of information for 30,253 people with self-insured group health plans. Compromised information included the victims’ phone numbers, credit card details, SSNs and medical information. The investigation is still ongoing, and Chief Information Officer Bill Zielinski is expected to update the Dallas City Council on Sept. 6.
According to Health and Human Services guidelines, a data breach affecting more than 500 people must be reported to the media no more than 60 days after the discovery of a breach. An IBM Cost of a Data Breach report from 2023 said that the mean time to identify and contain a ransomware breach with law enforcement involvement was 63 days. Fox4News said that at least one victim was informed of his personal data being stolen on June 14, but the city did not inform the public that benefits-related information may have been accessed until July 24, 50 days later.
To understand the city’s response and get more information about the attack and its lingering consequences, The Mercury spoke with professor of computer science Murat Kantarcioglu, who is head of UTD’s Data Security and Privacy Lab.
“[Dallas] might want to figure out which data is compromised,” Kantarcioglu said. “You don’t want to alert anybody if their data hasn’t been compromised because this can cause stress … maybe law enforcement doesn’t want to alert attackers on what’s going, or maybe they were doing some kind of investigation that may require [keeping] things under wraps, at least for some time.”
An attacker could gain more than just money from leaked data. According to The Dallas Morning News, authorities believe that the attack was caused by an employee falling for a phishing scam. Kantarcioglu explained that in this case, medical information was leaked, which an attacker could use to craft increasingly detailed phishing scams in the future.
“With personal information, you may be able to draft [something] very convincing,” Kantarcioglu said. “For example, emails such as ‘Oh, I noticed that you have this outstanding medical balance on this treatment that you have on this day.’”
Fortunately, Kantarcioglu has advice on how students can protect their information in case of personal data leaks. He highly recommends students use a credit freeze, meaning that a credit bureau will not share a person’s credit information with third parties. This stops identity thieves from opening new credit cards under the victim’s name. Kantarcioglu also suggested that everyone keep at least two backups of their data on an external encrypted drive and regularly update it; this ensures that if ransomware affects your computer, your data can be restored. He mentioned that he personally has two terabytes of external hard drive space for this reason.
“It kind of looks scary, but you know, if you take precautions, the risks will be minimal, especially with credit freeze and not clicking [links],” Kantarcioglu said.
Kantarcioglu said that, similarly, the key to protecting institutional data is making frequent backups. He also advises organizations to not pay the ransom demanded by attackers like Royal. The IBM Cost of a Data Breach report stated that organizations that paid the ransom during an attack only achieved a 2.2% difference in cost. Instead, the wisest response is to identify the device the virus has infiltrated and isolate it from surrounding networks to prevent its spread.
“I think that students, especially computer science students, [should] take cybersecurity-relevant classes,” Katarcioglu said. “Once you have the fundamentals like good programming, and some fundamentals in data science and AI, you can do research or you can go to companies. Since now we are in in the age of big data and AI, and it’s impacting every area, students must also have some background on [cybersecurity].”