Poof! Hackers Hold Dallas Police to Ransom, Eight Years of Evidence Lost

Lost evidence includes all body camera video and Microsoft Office documents collected from 2009 to present day, as well as some in-car video, some in-house surveillance video and some photographs collated during that period. Data backed up on DVDs and CDs remained intact.

The department confirmed some of the data was relevant to ongoing investigations. And the computer virus is thought to be the work of Ukrainian hackers.

In a statement, the department said it became aware that files on its server had been "corrupted by a computer virus" and "immediately disconnected the server and all computers from the internet and all state database systems," successfully containing the virus. It was later determined the virus had been introduced to the network via a spam email sent by a cloned email, imitating a department issued address.

"It is unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small," the statement continued.

The virus' creator(s) then tried to hold the files to ransom, establishing an internet webpage that stated a decryption key would be provided if a Bitcoin transfer (of approximately US$4,000 value) was made.

As there was no guarantee the decryption file would actually be provided, the department decided not to go forward with the Bitcoin transfer and to simply isolate and wipe the virus from the server. The department also said there was no evidence the data was exfiltrated to a remote server.

In an interview with WFAA, who broke the story, Stephen Barlag, Cockrell Hill's police chief, said that none of the lost data was critical and that the incident was not the work of hackers. The department also notified the Dallas County District Attorney's office of the incident.

"We were told by the FBI that paying doesn't always get you your information back. So we decided it was not worth it to pay, and potentially, not get anything back anyway. Everything that was lost is gone. Our automatic backup started after the infection, so it just backed up infected files. None of this was critical information," he said.

The department stated they were infected with the OSIRIS ransomware — however, OSIRIS ransomware does not exist. Instead, it's likely they were infected by Locky ransomware, which has an ".osiris" extension.

Barlag added he didn't know how much of the material lost was evidence in pending criminal cases, but said no cases have been dismissed because of the losses as yet.

Word of the loss of evidence spread when the department alerted several defense attorneys that video evidence in some of their criminal cases no longer exists.

J. Collin Beggs, a Dallas criminal defense lawyer who has a client charged in a Cockrell Hill felony evading case involving some of the lost video evidence, questioned a Cockrell Hill police detective in a hearing convened before Criminal District Court Judge Dominique Collins to compel the department to explain why it had not turned over video evidence in his client's case.

Beggs said the loss of video evidence is significant for his client and others charged in Cockrell Hill cases involving police video, as it makes it incredibly difficult if not impossible to confirm what's written in police reports if there's no video. He has asked the FBI for proof the computer virus incident actually occurred. An FBI spokesperson said the bureau does not "confirm or deny the existence of an investigation."

"The playing field is already tilted in their favor enormously and this tilts it even more," Beggs is reported to have said.