Cyber Incident Victim: Tarrant County
Date:
Jun 2023
Location:
United States of America
Summary
A cyberattack compromised a Texas city's website, with threat actors claiming unauthorized data access. Officials confirmed no sensitive resident, business, or employee information was exposed, including financial or personal identifiers. The leaked materials originated from an internal maintenance work order management system, containing repair photos, spreadsheets, invoices, and internal communications. Attackers allegedly used stolen credentials to infiltrate the system, intending to embarrass the municipality for political reasons. In response, the city enforced mandatory password resets across all user accounts and initiated a collaborative investigation with law enforcement and digital forensics specialists to assess the breach's full extent.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 23, 2023, the City of Fort Worth, Texas, disclosed a cybersecurity incident involving unauthorized access to its internal systems. The breach was detected after the Texas Department of Human Resources alerted city officials around 4:00 p.m. on June 23 upon identifying a post by threat actors claiming responsibility. Attackers asserted they had compromised city data, subsequently publishing information from an internal website used to manage maintenance work orders for the Transportation and Public Works, Park and Recreation, and Property Management departments. Fort Worth Chief Technology Officer Kevin Gunn confirmed the leaked data consisted of file attachments to work orders, including before-and-after repair photos, spreadsheets, invoices, staff emails, PDF documents, and related operational materials. Officials verified the data did not originate from the city’s public-facing website, and no evidence indicated exposure of sensitive resident, business, or employee information such as Social Security numbers, credit card details, or banking records. Initial analysis suggested attackers gained access through compromised login credentials for the city’s "view work system," a platform for tracking maintenance requests. Gunn attributed the attackers’ motives to an intent to "embarrass the city and make a political statement," citing language in their post. Immediate containment measures included forcibly resetting all user passwords and removing access to the affected system to prevent further unauthorized activity.
The city initiated a coordinated response involving federal and local law enforcement agencies alongside computer forensic experts to assess the breach’s scope and origin. Officials emphasized the incident’s containment to non-sensitive operational data, though the exposure of internal communications and departmental documents raised concerns about potential reputational impacts. Gunn reiterated the city’s priority to protect stakeholders’ interests, stating decisions would align with safeguarding residents, businesses, and employees. Forensic reviews focused on determining the exact method of credential compromise and whether additional systems were accessed. While city operations continued without reported disruptions, the breach underscored vulnerabilities in internal administrative platforms. Ongoing investigations aimed to identify potential weaknesses in authentication protocols and access controls for specialized systems like the work order management portal. The city maintained public transparency through a press conference on June 24, reinforcing that critical infrastructure and public services remained unaffected. No ransomware demands or financial motives were cited, with the incident primarily characterized as a limited-data exfiltration attempt driven by ideological objectives rather than financial gain.