When the Dallas Central Appraisal District website was hacked by a ransomware group in November, little information was released about how such a cybersecurity attack infiltrated the hub of information frequently used by homeowners and real estate professionals.
To make matters worse, the hack occurred as residents were in the midst of paying their tax bills and using the detailed information on the DCAD site to determine how much they owe.
The FBI was immediately called in to investigate the attack, reportedly perpetrated by the world’s No. 1 online extortion group, Royal Ransomware.
Ultimately, according to a Dallas Morning News Watchdog report, DCAD paid the hackers $170,000 from a reserve fund, a fraction of the district’s $34 million operating budget and a significantly lower amount than the cyberterrorists originally requested.
The team at daltxrealestate.com reached out repeatedly to DCAD Director of Community Relations Cheryl Jordan and longtime Chief Appraiser Ken Nolan, but they have not responded to our requests for comment.
The website, which manages 840,000 property accounts, was reactivated in mid-January.
A Closer Look at The DCAD Budget
As promised, daltxrealestate.com submitted an open records request for the DCAD 2022-23 budget, and we received it — all 202 pages of it.
We called on Glenn Goodrich, founder and CEO of propertytax.io, who also took a look at the budget and pointed out references to software maintenance and an email protection program.
“To have security as a priority with the budget and to only see the email protection program kind of buried in the budget doesn’t seem like they are actually prioritizing it,” Goodrich said. “I did not see any cybersecurity audit, which I would think is where this line item would go. [There’s] no third-party verification to ensure DCAD is doing the best or even the minimum they could do to meet their security goal.”
Goodrich previously pointed out that, since the COVID-19 pandemic, DCAD has done the majority of its business electronically. Email addresses are a “honey pot” for cybercriminals, who now can contact DCAD clients directly with virus emails disguised to appear as though they’re being sent by reputable businesses like Wells Fargo, Netflix, or Amazon.
Dirty Links And Ransomware
Nolan told the Dallas Morning News that, with DCAD board approval and at the suggestion of a cybersecurity company on retainer, he hired a third-party vendor to negotiate with the hackers.
Nolan has said publicly that he believes the attack was unknowingly launched by an employee who clicked on a “dirty link” that appeared to come from a vendor.
Although it’s not clearly outlined in the budget, a document adopted prior to the hack, DCAD officials said the district has hired a third cybersecurity company to monitor its entire system. Employees now use a two-step authentication process to log into the system and a new code is set daily.
We talked to Dallas County Tax Assessor-Collector John Ames, an ex-officio board member of DCAD. His name appears on the budget document.
He said he can’t comment on what security measures were in place prior to the hack or what’s been done to protect against another occurrence in the future.
He will say, however, that his office is carefully proceeding with processing tax bills. A lot of business that previously was conducted by email now is done over the phone, Ames said.
“We weren’t allowed to do business with DCAD for 2 ½ months,” he said. “We took it very seriously.”
No Break on Property Tax Due Date
Tax bills were due Jan. 31, and by all accounts, no grace will be shown to those who missed the deadline because of the hack. They will, however, be given refunds or corrective statements if they overpaid, Ames told daltxrealestate.com Monday.
Another factor came into play, as Thundersleet Icemaggedon hit North Texas last week, prompting the closure of city and county offices for up to three days.
Emails sent to Ames during the week of Jan. 30 — albeit in the midst of the inclement weather — generated automatic replies.
“We are unable to waive penalty and interest that accrues if the payment is not received by January 31, but we are able to refund money back if the adjustment made on your account results in a lesser tax amount,” the email states. “Questions regarding ownership, address corrections, values, or exemptions on a property should be directed to your Appraisal District. Please be advised that the Dallas Central Appraisal District (DCAD) is currently experiencing technology issues that affect their website and emails. If you need to contact DCAD, please call their office at (214) 631-0910.”
Ames pointed out that when tax statements are issued in October, they’re actually due upon receipt. Homeowners had plenty of time to pay them before the drop-dead deadline last week, he said. Ames said he’ll be accepting payments that are postmarked through Feb. 3 because of the post office closure last week.