City of Dallas
Breach Analysis

• 2023-05-03

  Royal ransomware detonated — Dallas police CAD and court systems offline
• 2023-05-04

  Dallas Fire Rescue and 311 systems affected; paper-based fallback activated
• 2023-05-15

  City council informed; initial damage assessment underway
• 2023-07-01

  Most systems restored; forensic investigation ongoing
• 2023-09-13

  26,212 individuals notified; breach notification letters mailed
• 2024-02-28

  Final remediation costs reported: $8.5M+

How they got in

Royal ransomware group used phishing email to establish initial foothold. Dwell time estimated at several weeks before payload detonation. CJIS-connected police systems affected, triggering FBI involvement. Threat actor exfiltrated data before encrypting — double-extortion tactic.

Sentinel / Fortress / Command coverage

Sentinel ($89/ep/mo) — 24/7 SOC + SIEM. Fortress ($109/ep/mo) — Sentinel + EDR management + vulnerability management. Command ($129/ep/mo) — Fortress + vCISO + compliance mapping + IR plan. See full tier comparison →

Regulatory exposure

5-point hardening list

• 1
  Email security: advanced threat protection with sandbox detonation for all attachments — block Royal/common ransomware phishing vectors
• 2
  Network segmentation: police CAD, 911 dispatch, and fire systems isolated on dedicated networks with zero external access
• 3
  Documented CJIS incident response plan with FBI contact chain — tested via tabletop annually
• 4
  EDR on all city endpoints with centralized SIEM correlation — dwell time detection objective: <4 hours
• 5
  Offline backup for all critical city systems — CAD, courts, financial — WORM-compliant, restore-tested quarterly

• → City of Dallas official statement
• → CISA Royal Ransomware Advisory AA23-061A
• → DataBreaches.net — Dallas

CoreRecon cites verifiable public sources only. No speculation on unverified attribution is published. Threat actor attribution appears only where publicly confirmed by law enforcement or the organization.