Dallas Central Appraisal District Cyberattack: Unpacking the Fallout for Homeowners and Property Taxes

Image depicting the digital disruption and impact of a ransomware attack on a central appraisal district.

The digital infrastructure of the Dallas Central Appraisal District (DCAD) continues to operate under severe limitations following a crippling ransomware attack. This cybersecurity incident has left the district struggling with a bare-bones online presence, prompting a local tax expert to issue a stern warning: homeowners who have previously engaged with DCAD via electronic correspondence may face significant personal data security risks. The disruption couldn’t have come at a more critical time, as the January 31st tax bill deadline looms, creating a perfect storm of uncertainty for property owners across Dallas County.

Glenn Goodrich, the visionary founder and CEO of propertytax.io, has openly voiced his frustration, not at DCAD for falling victim to a sophisticated cyberattack, but at what he perceives as a lack of transparency and an overly relaxed approach to informing the public about the potential fallout. “I’m pretty angry about how relaxed they are about telling the public not to worry about it,” Goodrich stated, underscoring the gravity of the situation and the need for more forthright communication.

The Hidden Dangers: Is DCAD Downplaying the Data Threat?

The standard process for property owners to file a protest against their appraised value involves receiving a notice in the mail with a unique PIN number. While DCAD’s online system traditionally doesn’t require users to create an account or set a password, it does prompt for an email address in conjunction with this unique PIN. This seemingly innocuous requirement, according to Goodrich, is precisely where the greatest vulnerability lies.

Close-up portrait of Glenn Goodrich, founder and CEO of propertytax.io, discussing cybersecurity threats. — Glenn Goodrich

“Where I think DCAD’s being too laissez-faire is [a hacker] can tie an email address to a property you own,” Goodrich explained. He elaborated on the sophistication of modern cyber threats, highlighting that many successful attacks aren’t about brute-forcing passwords, but rather leveraging social engineering. This technique involves manipulating individuals into divulging confidential information, often through seemingly legitimate communications. “What hackers do seemingly well is social engineering, like ‘Let’s try to get people to tell us information about them and make it look official.’ That’s why you receive emails from Wells Fargo with their logo on it.” The email addresses, in this context, become an invaluable “honeypot” for malicious actors.

The shift towards increased electronic communication, particularly since the onset of the COVID-19 pandemic, has exacerbated this risk. Appraisal districts, including DCAD, have relied almost exclusively on email interactions with property owners. Goodrich notes, “People tend to send a lot more information than they need to, to the appraisal district, information the appraisal district never asked for, like their social security number.” This unsolicited sensitive data, combined with a confirmed email address tied to property ownership, creates a treasure trove of personal information. “I honestly think it’s a honeypot of personal information that could be used years down the road against people. They package up this information and sell it on some dark web market,” Goodrich warned, painting a grim picture of potential long-term identity theft and fraud risks for affected homeowners.

Navigating the Tax Season Storm: Payments, Exemptions, and Delays

The timing of the DCAD security breach has converged with the busiest period for property taxes, creating an unprecedented “perfect storm” for Dallas County residents. With tax bills due on January 31st, many homeowners are grappling with uncertainty, particularly concerning exemptions or protest outcomes that might not yet be reflected in their statements.

Despite the chaos, Goodrich’s advice is clear and unequivocal: pay your tax bill on time. Even if you believe you are entitled to an exemption that hasn’t been processed, or you’re awaiting the results of a protest, delaying payment is not a viable strategy. Penalties and interest can accrue rapidly. He reassured property owners that any overpayment due to unprocessed exemptions will likely be refunded later. “As far as getting tax bills out and people trying to access information, they can still access that information on the tax assessor-collector’s website, and they always have been able to,” Goodrich confirmed, indicating that basic tax information remains accessible through alternative channels.

DCAD’s Response and the Road to Recovery After the Ransomware Attack

Beyond the immediate financial concerns, homeowners are also facing an inability to access detailed property data, appraisal histories, or critical mapping tools typically available on the main DCAD site. This disruption extends to professionals who rely on this information for real estate transactions and property management.

In response to the crisis, the Federal Bureau of Investigation (FBI) has become involved, signaling the serious nature of the attack. Additionally, BIS Consultants, a Farmers Branch-based service provider specializing in government technology, has been enlisted to assist with recovery efforts. However, attempts to gain further insight into the situation have been met with silence. BIS referred media inquiries from daltxrealestate.com back to DCAD, whose chief appraiser and director of community relations have not responded to multiple requests for interviews, highlighting the agency’s tight-lipped approach.

The DCAD website went offline on November 8th, 2022, and has since displayed a concise message detailing the incident and recovery plans:

On November 8, 2022, the Dallas Central Appraisal District (DCAD) was the subject of a ransomware attack. The attack effectively disrupted all online services of DCAD and the disruption is ongoing. The DCAD is working diligently to restore all online functionality and will continue to do so.

In an effort to accommodate the public during our system breach, the Dallas CAD will have a temporary website available for public use, effective December 15, 2022. The website will initially contain limited data but more will be added as we proceed forward. We anticipate the return of our full-functioning website sometime in early 2023.

The authorities are aware of our ransomware case and we are cooperating with their investigation. Accordingly, we have no further comment at this time.

Dallas Central Appraisal District

While a temporary website offering limited functionality was launched on December 15th, 2022, providing some basic search tools, it falls far short of the comprehensive services homeowners and professionals are accustomed to. The promise of a “full-functioning website sometime in early 2023” offers a glimmer of hope, but the prolonged outage continues to test the patience of the public and raise questions about the resilience of critical government infrastructure.

The Ripple Effect: Dallas County Tax Assessor’s Office Overwhelmed

The ramifications of the DCAD outage extend far beyond its own operations, creating a cascading series of problems for other vital county departments. Dallas County Tax Assessor/Collector John Ames described the DCAD situation as causing “a mountain of problems” for his office and the thousands of property owners it serves. “It’s a perfect storm because it happened when tax statements went out,” Ames told daltxrealestate.com. “We mail them in October. Our largest supplements come from DCAD in October, November, and December, when they finalize their exemptions.”

https://daltxrealestate.com/2022/12/21/dcad-launches-bare-bones-site-for-basic-search-tools-with-new-service-provider-but-is-consumer-info-safe/

Ames explained that under normal circumstances, when homeowners call his office regarding a lost exemption, they are directed to DCAD for restoration, a process that can take up to 120 days. However, the ransomware attack has drastically complicated this. “Now with the ransomware attack, we received our November supplement just now in January,” Ames revealed, illustrating the significant delays in inter-agency data transfer. This means the Tax Assessor’s office is receiving critical updated information months behind schedule.

The impact on daily operations is substantial. “So as people call us, we take down their information and contact DCAD. We prefer to have it on the supplement, but if a customer calls, we will try to update our system. We now have to call DCAD rather than pull the info ourselves, because we cannot see it online any longer,” Ames elaborated. This shift from efficient online data retrieval to time-consuming manual phone calls represents a significant bottleneck, contributing to increased wait times and administrative burden for both county staff and concerned citizens.

Heightened Vigilance: Protecting Personal Data in a Post-Breach World

The lack of detailed information surrounding the DCAD hack has left many professionals who regularly interact with the district’s online portal feeling uneasy. These individuals, who typically have login accounts, report not having received any specific guidance on how the breach occurred or recommendations to change their passwords. Glenn Goodrich’s advice for all property owners, whether they’ve just browsed the DCAD site or logged in with a PIN, remains consistent with general cybersecurity best practices, yet with an added layer of urgency.

“Be extra, extra diligent,” Goodrich emphasized. “Don’t click on links or open up documents from emails you don’t know.” He stressed that the risks of online security breaches are pervasive, regardless of specific incidents. “I think it’s pretty safe to say, even before the DCAD hack, everybody’s probably at risk for some sort of hack from the online business that they do. The same sort of rules apply. I just think DCAD’s being too laissez-faire about it. They’re saying no personal data was exposed. Well, they have your email.” This distinction is critical: while direct financial data or Social Security numbers might not have been compromised, the exposure of email addresses linked to property records is a significant vulnerability for targeted phishing and social engineering attacks.

The governance structure of appraisal districts, typically overseen by a board of directors that controls the budget and hires/fires the chief appraiser, raises questions about accountability and preventative measures. It remains unclear whether the DCAD budget includes provisions for regular cybersecurity audits—a critical component of modern digital defense. As this situation unfolds, concerned parties are likely to file open records requests to shed more light on the district’s cybersecurity preparedness and incident response protocols, promising more information in the coming months.

The Crucial Role of Homestead Exemptions and Protest Outcomes

Adding another layer of complexity to the current tax season is the sheer volume of property tax protests filed in Dallas County. Cheryl Jordan, DCAD’s director of community relations, previously indicated that a record number of protests—exceeding 200,000—were submitted, challenging increased property valuations. Prior to the cyberattack, the appraisal district had managed to hear and resolve approximately 95 percent of these protests. However, this figure does not account for the separate, equally vital process of homestead exemption applications, and the current status of these applications within the appraisal district remains largely unknown.

Goodrich reiterated his strong recommendation for Dallas County homeowners to proceed with paying their tax bills promptly, even if they are still awaiting the finalization of a homestead exemption or the definitive outcome of a property value protest. This advice is critical to avoid costly penalties and accruing interest charges that can quickly escalate.

The challenges with processing homestead exemptions are not unique to Dallas County; many appraisal districts beyond Dallas have reported being short-staffed, leading to existing backlogs. “Now with Dallas being down for basically a month, that’s going to create a backlog of homestead exemptions, and they were already having trouble processing those on time,” Goodrich stated. He warned that it could potentially take “six months before it shows up.” This means many property owners may initially receive tax bills that are inaccurately high because they do not yet reflect approved homestead exemptions. In such scenarios, the course of action is to pay the billed amount and then wait for a refund once the exemption is correctly applied. “I don’t think in any case you should not pay the tax bill until they get it right. That’s never really been a remedy. That could result in penalties,” Goodrich concluded, underscoring the legal imperative to meet tax obligations.

The Dallas Central Appraisal District ransomware attack serves as a stark reminder of the vulnerabilities inherent in digital systems, particularly those managing sensitive public data. As Dallas County navigates this intricate web of cybersecurity threats, delayed services, and crucial tax deadlines, the focus remains on resilience, transparency, and robust data protection for its citizens.

Senior columnist Karen Eubank contributed to this report.