BANFF – Personal information of Town of Banff employees may have been accessed in the recent cybersecurity attack against the municipality.
The Town of Banff is still not saying if anyone has threatened to sell or release data that was accessed in the March 19 computer hacking incident as part of any ransom demand.
Administrative officials say the goal is to be as transparent as possible, but it will take time to compile, verify and release information because the cybersecurity investigation is continuing.
“As soon as we have additional information we will update the public accordingly,” said Town Manager Kelly Gibson.
“This is an ongoing investigation and we have a large amount of data that we’re going through right now.”
Based on new results of the ongoing investigation, Town administrators say there is a risk that some personal information of Town of Banff employees may have been accessed by the unauthorized third party.
Jason Darrah, the director of communications, said the information the Town of Banff collects for payroll, benefits and tax purposes contains more detailed personal information, unlike anything the municipality collects from members of the public for programs.
He said it’s not yet known if any of this personal information was taken and there is currently no evidence of misuse of this personal information, but the Town is offering a credit monitoring service to all employees due to the risk of identity theft.
“Protection of personal information of employees and the people we serve is critical to the Town, so this news of a potential risk to our staff is very concerning,” Darrah said.
Municipalities can be favoured targets of cybersecurity attackers because their cyber defences aren’t as sophisticated as larger levels of government. Attackers believe cities and towns may be more willing to pay ransoms than other organizations because of the amount of personal information they hold.
Banff town council has been given updates on the cybersecurity situation during in-camera meetings.
After a 1.15-hour in-camera meeting on April 5, council approved a confidential motion on a 5-2 vote. There were no details on what the motion was about, other than to say: “confidential recommendation 1 contained in the confidential distribution.”
Councillors Hugh Pettigrew and Ted Christensen voted against the motion, while Mayor Corrie DiManno and councillors Chip Olver, Grant Canning, Kaylee Ram and Barb Pelham were in favour.
Following another in-camera meeting on April 11, council approved another confidential recommendation, but this time it was unanimous.
The Town of Banff has cited the Freedom of Information Protection of Privacy (FOIP) section 24 (advice from officials), section 25 (disclosure harmful to economic and other interests of a public body), and section 27 (privileged information ) as reasons for keeping the motion confidential.
Those sections of FOIP, however, don’t require council to keep matters private, but rather indicate they may keep them confidential. While more frequent in bigger cities, keeping motions confidential has not been a common practice of Banff council until more recently.
“In accordance with FOIP, the municipality ‘may’ keep a recommendation confidential, to give elected officials the ability to discuss and make recommendations on sensitive topics,” said Darrah.
Long-time Banff resident Lee O’Donnell questioned council on the cybersecurity incident during the public portion of the April 11 meeting.
He indicated the public is very interested to hear more details on the level of exposure due to the data hack, including timing on when the public will be updated.
“The public is aware that something occurred and as time goes on and they’re not aware of what occurred that creates ….” he said.
Mayor Corrie DiManno interjected: “We will be giving another update as soon as we have the information available.”
The threat of cybersecurity is a growing challenge for municipalities.
In April last year, the Resort Municipality of Whistler (RMOW) in British Columbia had a cybersecurity event.
As a result, non-essential town services in Whistler were suspended when email, phone, network services and the website were taken offline and stayed down for weeks. Critical infrastructure such as water and sewer, and emergency systems like 911 and the fire department were secure and operated as normal.
Following a months-long investigation in cooperation with cyber security experts, Whistler found no evidence that private personal information of the public was obtained by criminals in the cybersecurity incident.
However, according to a July 8, 2021 press release, the cyber-criminals did obtain the contents of personal drives on employee computers, which were drives on the municipality’s network where employees could store personal information under the RMOW’s electronic communications procedure.
The municipality reported that experts leading the cybersecurity investigation believed that cybercriminals accessed the RMOW’s network through a zero-day vulnerability, which is an unknown flaw in software that is taken advantage of before a fix is available.
“The RMOW has also reported that it did not receive a ransom request, nor did the RMOW make any payment to, or engage in dialogue with, the cybercriminals,” the municipality said in the news release.
Also in 2021, Ontario’s Regional Municipality of Durham, which provides regional services to eight local municipalities north of Lake Ontario including the City of Oshawa, reported it was a victim of a cybersecurity incident.
In 2018, two small Ontario towns, Wasaga Beach and Midland, paid ransom demands to reclaim data after anonymous computer hackers held their computer systems hostage for more than two days. Wasaga Beach paid $35,000, while Midland did not disclose how much was paid.
Alberta Municipalities, formerly Alberta Urban Municipalities Association, recently commissioned Ontario-based Stratejm to do a report on best cybersecurity practices for members given the growing threat of cybersecurity incidents.
Apart from the benefits offered by technology in local governments to help improve services and programs for residents, digital transformation activities have introduced vulnerabilities that hackers can exploit to cause a data breach.
According to the report for Alberta Municipalities, local governments most often fail to implement security controls when connecting to a computer network or the internet.
“In effect, lack of adequate security protocols results in weak municipal systems that hackers can easily exploit to take control of systems, knock out public services, and steal confidential information,” the report states.
Hackers use a wide range of tactics and threats to target people, processes, and technology in municipalities – ransomware Attacks, unpatched devices, malware, business email compromise, distributed denial of service, social engineering and insider threats.
It is not known at this point how or in what manner the hackers attacked the Town of Banff.
According to the Alberta Municipalities report, municipalities are suffering numerous impacts from the increasing rates of cyberattacks on organizations.
“A data breach causes financial loss due to recovery costs and ransoms,” the report stated. “Additionally, it may take days or even months to fix a data breach. Sometimes, the victim may never fix the breach, and hackers put government and personal data on the black market.”
The AUMA report recommends a range of best practices for municipalities to follow – everything from updating and patching systems and data encryption, to awareness training and installation of security tools, to access control, continuous monitoring, cybersecurity policies and procedures, systems and data backups and partnering with a managed security services provider.
The report concluded the threat of a cybersecurity incident is a “growing challenge without a definitive solution”. For municipalities, cyberattacks can halt operations, put residents’ information at risk, and compromise critical infrastructures such as water, transport, and waste management.
“The problem is now at the forefront as municipal governments across Canada and the world are falling victim to frequent and sophisticated cybersecurity incidents,” states the report.
But there is no one-size-fits-all solution for security challenges, according to Alberta Municipalities.
“Fortunately, talking about the challenges, sharing past cyber incident experiences, and developing a wide range of best practices is the proven methodology way to address cyber threats in municipalities,” according to the report.
In Banff’s case, a team of independent cybersecurity experts with KPMG has been brought in to assist the municipality in dealing with the matter. The RCMP have been notified and Alberta’s privacy commissioner has also been alerted.
While there are no specific details on what type of security the Town of Banff had in place or is putting in place, administrators say the Town of Banff is committed to data safety and is conducting a careful review of all systems data and all security protocols.
“Our IT team and contracted cybersecurity experts also continue to strengthen the security of all our systems and processes to safeguard against future incidents, while the investigation into the breach and its risks continues,” said Darrah.
Following the incident, the Town of Banff retained access to its data and information systems at all times and the municipality’s critical systems were completely unaffected, such as those in place for emergency response like the Banff Fire Department. Infrastructure such as water and sewage were also secured and operating as normal.
However, some of the Town of Banff’s non-essential systems were affected such as webcams, for example. The system for renewing parking permits was also temporarily shut down.
Another example is the development permit viewer is currently offline, which is a web application that is managed on systems in Town of Banff facilities, and as such was disconnected from public web access immediately when the unauthorized access to the computer systems was detected.
Darrah said this was part of the security process to close all access to Town systems.
“As the cybersecurity investigation continues, our web based systems are being gradually reconnected to public access, after security enhancements are installed, in order of priority,” he said.
“Systems like the public webcams of streets and the development permit viewer are lower priorities.”
Gloss