Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Tulsa: Ransomware Attackers Leaked 18,000 Files
Information Handled by the Police Department ExposedThe city of Tulsa issued a warning this week that a ransomware group that attacked the city in May leaked more than 18,000 city files on the dark web.
See Also: Preparing for New Cybersecurity Reporting Requirements
"Today, the city of Tulsa was made aware the persons responsible for the May 2021 city of Tulsa ransomware attack shared more than 18,000 city files via the dark web mostly in the form of police citations and internal department files," the city said in its statement. The police citations contain personally identifiable information, such as name, date of birth, address and driver's license number. Police citations do not include Social Security numbers, Tulsa officials say.
When the city reported the attack on May 9, officials said no resident or customer information had been compromised - but the investigation proved otherwise.
Based on dark web activity observed, Brett Callow, threat analyst with Emsisoft, identifies the attacker as the Conti group. He says the Tulsa attack marks the 37th time a municipality has been struck with ransomware in 2021. In 2020, 113 were affected, he adds.
Warning to Residents
The city has issued a blanket warning for anyone who has interacted with the Tulsa Police Department.
"No other files are known to have been shared as of today, but out of an abundance of caution, anyone who has filed a police report, received a police citation, made a payment with the city, or interacted with the city in any way where PII was shared, whether online, in-person or on paper, prior to May 2021, is being asked to take monitoring precautions," the city says.
The city advises any residents who may have interacted online with the city or police department to:
- Monitor financial accounts and credit reports;
- Get their credit/debit card companies to issue a fraud alert;
- Change passwords to personal accounts;
- Take additional authentication measures in all personal accounts and applications.
The May Incident
On May 9, Tulsa city officials shut down systems and websites after the ransomware attack, making it impossible for residents to gain online access to many services. "We're not going to pay any ransom," Tulsa Mayor G.T. Bynum said on May 20. Instead, the city of 766,000 relied on its backups and a disaster recovery plan to restore access to data.
The city says its main priority has been restoring critical resources and mission-essential functions, including public-facing systems and internal communications and network access functions. That process is continuing, city officials say.
The city's 911 and emergency response systems were not affected by the attack, but the city's utility billing system and several other online services were affected.