Officials with Dallas’ information and technology services department said Sept. 20 a ransomware attack in May that suspended city services and leaked residents’ sensitive information is nearly entirely contained.

The attack, launched by a group called Royal, impacted all city departments and interrupted all city operations.

The details

Chief Information Officer Bill Zielinski and Brian Gardner, chief technology and information security officer, delivered a report to City Council that provided select details about the city’s response to the cyberattack. The briefing was originally scheduled for Sept. 6 but was postponed because of a lengthy budget meeting.

Gardner said Royal gained initial access to the city’s network April 7 by using stolen credentials. Between April 7 and May 3, the group excavated 1.169 terabytes of the city’s 3.8 petabytes of data.

City officials previously said about 30,000 current and former employees, plus residents not employed by the city, had data leaked during the breach. The city is offering free credit monitoring for those affected.

The city’s IT department was able to identify the data breach after 27 days and “contained the infection” in one day, Gardner said. The mean time to identify and contain a data breach is 204 and 73 days, respectively, according to the report.

By June 9, the city’s IT department had restored 90% of the network, according to the report. The recovery effort is at 99.9% with only a small number of tests and development efforts left to be completed, Gardner said.

“As with any event, [IT systems] shall take lessons learned for continuous revision of the incident response plan,” Gardner said.

By the numbers

Cyberattacks like the one Dallas experienced are common, Zielinski said. About 70% of organizations, such as school districts, hospital systems and municipal governments, have had sensitive data compromised or breached in the last 12 months, according to the report.

Since the attack on Dallas’ network, more than 250 entities have reported data breaches to the U.S. Department of Health and Human Services, and more than 200 have reported breaches to the Texas Attorney General, according to the report. Combined, those breaches have impacted tens of millions of people.

What else?

As of Sept. 20, a federal investigation into the cyberattack is still ongoing, Zielinski said. Royal’s “dark website” has been shut down for several months, but city officials are monitoring it for any potential activity, he added.

Gardner and Zielinski would not publicly answer questions regarding specific details about how Royal stole city credentials because of the ongoing investigation.

A final analysis of the cyberattack has not yet been completed, Gardner said. Once it is complete, a report will be provided to City Council.