DCAD’s ‘Laissez-Faire’ Response to Ransomware Attack Causes Frustration as Tax Deadline Looms

The Dallas Central Appraisal District is still operating on a bare-bones website in the wake of a ransomware attack, and one local tax expert says homeowners who corresponded electronically with the local office could be facing a security threat of their own.

Glenn Goodrich, founder and CEO of propertytax.io, said he’s not mad at DCAD for getting hacked, but the way it’s been handled leaves something to be desired. 

“I’m pretty angry about how relaxed they are about telling the public not to worry about it,” he said. 

Is DCAD Downplaying The Problem?

Property owners get a notice of appraised value in the mail with a PIN number attached. To file a protest, DCAD doesn’t ask users to create an account or enter a password, but the site issues a prompt for an email address and a unique PIN number. 

“Where I think DCAD’s being too laissez-faire is [a hacker] can tie an email address to a property you own,” Goodrich said. “A lot of what goes on with hackers is not the hacker running some kind of algorithm and trying to figure out your password. What hackers do seemingly well is social engineering, like ‘Let’s try to get people to tell us information about them and make it look official.’ That’s why you receive emails from Wells Fargo with their logo on it.”

It’s the email addresses, he added, that are the “honeypot” for hackers. 

“Since COVID, the appraisal districts have worked almost exclusively with people via email,” Goodrich said. “People tend to send a lot more information than they need to, to the appraisal district, information the appraisal district never asked for, like their social security number. I honestly think it’s a honey pot of personal information that could be used years down the road against people. They package up this information and sell it on some dark web market.” 

The mess that the DCAD security breach has caused for property owners is swirling into a perfect storm as tax bills are due on Jan. 31. 

Goodrich said there’s really no way to cite the hack as a way to delay paying a tax bill. Go ahead and do it even if you think you’re due an exemption that has not yet been processed. It will likely be refunded later, he said. 

“As far as getting tax bills out and people trying to access information, they can still access that information on the tax assessor-collector’s website, and they always have been able to,” Goodrich said. 

Addressing The Ransomware Attack

In addition to uncertainty about whether deeds and personal information have been accessed by hackers, homeowners are also unable to access detailed data or mapping on the DCAD site. 

The FBI is involved, and a new service provider, Farmers Branch-based BIS Consultants, was enlisted to assist. BIS referred questions from CandysDirt.com to DCAD, and DCAD’s chief appraiser and director of community relations did not respond to multiple requests for an interview. 

The DCAD website went down Nov. 8. This message is now displayed:

On November 8, 2022, the Dallas Central Appraisal District (DCAD) was the subject of a ransomware attack. The attack effectively disrupted all online services of DCAD and the disruption is ongoing. The DCAD is working diligently to restore all online functionality and will continue to do so.

In an effort to accommodate the public during our system breach, the Dallas CAD will have a temporary website available for public use, effective December 15, 2022. The website will initially contain limited data but more will be added as we proceed forward. We anticipate the return of our full-functioning website sometime in early 2023.

The authorities are aware of our ransomware case and we are cooperating with their investigation. Accordingly, we have no further comment at this time.

Dallas Central Appraisal District

The Perfect Storm For Tax Season

Dallas County Tax Assessor/Collector John Ames said the DCAD situation is causing a mountain of problems for his office and the property owners he serves. 

“It’s a perfect storm because it happened when tax statements went out,” Ames told CandysDirt.com. “We mail them in October. Our largest supplements come from DCAD in October, November, and December, when they finalize their exemptions.” 

DCAD Launches ‘Bare Bones’ Site For Basic Search Tools With New Service Provider, But is Consumer Info Safe?

When homeowners call the tax office and say they lost an exemption, they’re directed to DCAD and ask for the exemption to be restored. That can take up to 120 days in a ‘normal” situation, Ames said. 

“Now with the ransomware attack, we received our November supplement just now in January,” Ames explained. “So as people call us, we take down their information and contact DCAD. We prefer to have it on the supplement, but if a customer calls, we will try to update our system. We now have to call DCAD rather than pull the info ourselves, because we cannot see it online any longer.” 

Professionals who have login accounts with DCAD tell CandysDirt.com they have not been contacted with additional information about how the hack occurred or a suggestion to change their passwords. Goodrich said his advice to property owners who occasionally browse the DCAD site or have logged in with a PIN number is the same as it would be prior to the security breach. 

“Be extra, extra diligent,” Goodrich said. “Don’t click on links or open up documents from emails you don’t know. I think it’s pretty safe to say, even before the DCAD hack, everybody’s probably at risk for some sort of hack from the online business that they do. The same sort of rules apply. I just think DCAD’s being too laissez-faire about it. They’re saying no personal data was exposed. Well, they have your email.” 

Appraisal districts are governed by a board of directors who control the budget and can hire and fire the chief appraiser. It was unclear at deadline whether a line item in the DCAD budget is allocated for periodic cybersecurity audits, but you can bet we’ll be filing open records requests and providing more information. 

About Those Tax Bills

A record number of protests — more than 200,000 — were filed contesting increased valuations, Cheryl Jordan, DCAD director of community relations, has said. The appraisal district heard and resolved about 95 percent of the protests prior to the hack, she told another media outlet last month. That’s separate from processing homestead exemptions, and we don’t really know where the appraisal district stands on that. 

Goodrich reiterated that Dallas County homeowners should go ahead and pay their tax bills, even if they’re waiting on a homestead exemption or the results of a protest. 

Appraisal districts beyond Dallas County are having difficulty processing homestead exemptions because they’re short-staffed. 

“Now with Dallas being down for basically a month, that’s going to create a backlog of homestead exemptions, and they were already having trouble processing those on time,” Goodrich said. “I don’t know, it could be six months before it shows up. People are going to have tax bills that are too high because they don’t reflect the homestead exemption. You just have to pay and wait for a refund. I don’t think in any case you should not pay the tax bill until they get it right. That’s never really been a remedy. That could result in penalties.” 

Senior columnist Karen Eubank contributed to this report.