Cyber Incident Victim: City of Dade City
Date:
Nov 2020
Location:
United States of America
Summary
A ransomware group claimed responsibility for an attack against a Florida municipality, threatening to leak sensitive data unless their demands were met. The attackers provided screenshots showing access to police department files containing personnel records such as complaints and injuries. While the city acknowledged the breach and its impact, it provided limited details about the incident. Subsequent notifications revealed that personal information of nearly 1,000 individuals was compromised. The attackers emphasized the potential exposure of employee and police records to pressure the city into compliance, though the municipality's public response remained minimal throughout the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 22, 2020, Avaddon threat actors compromised systems belonging to the City of Dade City, Florida. The attackers publicly claimed responsibility for the breach and posted screenshots of directories and files to substantiate their claims. These screenshots included police department records containing personnel-related information such as complaints, injuries, and other internal matters dating back several years, with filenames referencing at least one verified Dade County Police officer. The threat actors issued a ransom demand, threatening to release stolen data within four days if the city failed to cooperate, specifically addressing Mayor Camille Sutherland Hernandez and warning of potential leaks involving municipal and police employee personal information. Despite these threats, the city’s website (dadecityfl.com) became inaccessible shortly after the incident, though no official statement confirming or denying the attack was initially issued. By December 8, 2020, the city acknowledged the cyberattack in a public statement but provided no substantive details regarding its scope or impact.
The breach’s discovery timeline later became a point of contention. While the city had implicitly acknowledged the incident by December 2020, its external counsel reported to the Maine Attorney General’s Office on July 21, 2021, that the intrusion was discovered on June 28, 2021—over seven months later. This notification disclosed that 934 individuals were affected by the breach, contradicting the earlier implicit acknowledgment of the attack. The discrepancy centered on the city’s assertion that June 28 marked the discovery of compromised personally identifiable information (PII), whereas critics argued the discovery date should reflect when the breach itself was initially detected. No further technical details about the attack vector, containment measures, or data restoration efforts were disclosed by the city or its representatives. The attackers’ claims regarding data exfiltration were never publicly verified or refuted by the municipality beyond the acknowledgment of an incident occurring.