Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Tulsa: Ransomware Attackers Leaked 18,000 Files

Information Handled by the Police Department Exposed
Tulsa: Ransomware Attackers Leaked 18,000 Files

The city of Tulsa issued a warning this week that a ransomware group that attacked the city in May leaked more than 18,000 city files on the dark web.

See Also: The Cost of Underpreparedness to Your Business

"Today, the city of Tulsa was made aware the persons responsible for the May 2021 city of Tulsa ransomware attack shared more than 18,000 city files via the dark web mostly in the form of police citations and internal department files," the city said in its statement. The police citations contain personally identifiable information, such as name, date of birth, address and driver's license number. Police citations do not include Social Security numbers, Tulsa officials say.

When the city reported the attack on May 9, officials said no resident or customer information had been compromised - but the investigation proved otherwise.

Based on dark web activity observed, Brett Callow, threat analyst with Emsisoft, identifies the attacker as the Conti group. He says the Tulsa attack marks the 37th time a municipality has been struck with ransomware in 2021. In 2020, 113 were affected, he adds.

Screen shot of what are apparently Tulsa city files posted by Conti on the darknet

Warning to Residents

The city has issued a blanket warning for anyone who has interacted with the Tulsa Police Department.

"No other files are known to have been shared as of today, but out of an abundance of caution, anyone who has filed a police report, received a police citation, made a payment with the city, or interacted with the city in any way where PII was shared, whether online, in-person or on paper, prior to May 2021, is being asked to take monitoring precautions," the city says.

The city advises any residents who may have interacted online with the city or police department to:

  • Monitor financial accounts and credit reports;
  • Get their credit/debit card companies to issue a fraud alert;
  • Change passwords to personal accounts;
  • Take additional authentication measures in all personal accounts and applications.

The May Incident

On May 9, Tulsa city officials shut down systems and websites after the ransomware attack, making it impossible for residents to gain online access to many services. "We're not going to pay any ransom," Tulsa Mayor G.T. Bynum said on May 20. Instead, the city of 766,000 relied on its backups and a disaster recovery plan to restore access to data.

The city says its main priority has been restoring critical resources and mission-essential functions, including public-facing systems and internal communications and network access functions. That process is continuing, city officials say.

The city's 911 and emergency response systems were not affected by the attack, but the city's utility billing system and several other online services were affected.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.