After officials in Tulsa, Okla., refused to pay a ransom to unlock their systems, the attackers ratcheted up the pressure on the city by sharing personal information of some residents online.
The data release involved more than 18,000 files, mostly police citations and police department employee files, to the dark web. Those files contain personally identifiable information such as names, dates of birth, address and driver’s license numbers, the city said in a June 22 ransomware update.
On May 6, Tulsa’s IT Department was notified that some servers were actively communicating with a known threat site and that a ransomware attack had been launched on several city systems, including its online bill payment systems, utility billing and email along with websites for the city and city council. The city’s police force and Tulsa 311 system also were also impacted.
The city’s incident response team initially disconnected the affected servers, but as the malware spread, the team shut down all services to halt the attack. While law enforcement and an outside firm analyzed forensic data, city agencies have moved to manual business processes for some public-facing services, internal communications and network access functions until online services can be restored.
It could take another two months to get all of the city’s core systems up and running, Tulsa CIO Michael Dellinger told AP.
Meanwhile, officials are asking residents who have filed a police report, received a police citation, made a payment with the city or interacted with the city in any way where PII was shared, whether online, in-person or on paper, prior to May 2021, to take credit monitoring precautions, change their passwords and use two-factor authentication.