[BreachExchange] Hackers hit West Vancouver's server

Destry Winant destry at riskbasedsecurity.com
Tue Sep 4 23:30:03 EDT 2018


https://www.nsnews.com/news/hackers-hit-west-vancouver-s-server-1.23415718

West Vancouver is warning thousands of its residents after discovering
hackers installed malicious softwareon the district server used to
store personal information collected through its website.

District staff first noticed something suspicious on July 31. A
forensic search found malware installed on its server used for
collecting information from online “webforms.” The malware was quickly
cleaned and deleted but when staff searched again on Aug. 4, they
found more of a similar type and pulled the plug on all its webforms.

The district estimates roughly 4,870 forms have been filled out by
residents since 2013 for everything from requesting a pothole be
filled to applying for volunteer positions, according to District of
West Vancouver spokeswoman Donna Powers.

There is no way of knowing for sure if the people who installed the
illegal software actually got ahold of the district residents’ names,
addresses, phone numbers, email addresses, and IP addresses stored on
the server. (Resident's financial and tax data is stored on a separate
server not affected by the breach.)

“I think what we can say is there was malware on the same database
server that contained personal information. We can’t see that the two
ever came in contact but we have no way of, for certain, ruling it
out,” Powers said.

Because there is no definitive proof that sensitive data was accessed,
the district hasn’t notified the province’s Office of the Information
and Privacy Commissioner, Powers said.

The district has posted a warning about the potential breach on its
website but there are no plans to directly contact all 4,870 people
whose information may be at risk. There will be an exception, however,
for people who were minors at the time they used the webform. These
include online entries for a student video contest, that contained
more sensitive personal information “that in hindsight, maybe we could
have avoided putting there, like their grade and their school,” Powers
said.

Those minors or their legal guardians will be contacted by phone and
email, Powers said.

In the wrong hands, the personal information could be used to target
residents for scams or identity theft.

“We just want to reinforce that all you can really do is be aware. If
someone approaches you, whether it’s online or by telephone and you
don’t know who they are, you need to be cautious,” Powers said. “If it
seems suspicious, it probably is.”

The district is now making moves to harden its security, including
preventing website administrators from logging in remotely and the
district will not be using webforms in the same fashion in the future.

“It is going to reduce convenience both on the part of residents and
on staff,” she said. “We’re going to find that balance.”

In 2013, the district discovered its MyDistrict service, which
residents use to pay bills and set up preauthorized payments for taxes
and utilities, had been compromised. In that case, no one’s data was
stolen.

“The district does everything that we can to prevent this from
happening. But we’re really not alone in this… it’s a global
phenomenon and it’s all too common and there’s not a lot we can do,”
Powers said, noting that hackers are constantly devising new ways to
attack internet vulnerabilities.

Whether the breach was preventable or not though is up for debate,
according to West Vancouver resident and cyber security expert George
Pajari.

“It’s two breaches more than I’ve had. I run a system serving
16-million users,” said Pajari, who is the chief information security
officer for a major Vancouver-based tech firm. “It’s entirely possible
this was unavoidable but highly unlikely. I can’t tell you the last
time I studied a breach that was unavoidable.”

Documents released to Pajari under a freedom of information request
following the 2013 breach concluded district IT staff hadn’t been
installing regular updates and security patches.

“It was obvious the district was completely unprepared. It was a
disaster waiting to happen. They hadn’t taken what I would consider
the absolute basic steps to protect the information they were
holding,” he said. “Not only had they not subscribed to receive
notification of the patches from the vendor, they hadn’t updated their
software for months and months so they got knocked off.”

Pajari has already filed an extensive freedom of information request
with the district, seeking a full accounting of the latest breach.

“It’s snap-on-the-rubber-gloves time,” he said.

It was the right move by the district to warn residents, Pajari added.

“I can think that there are many Lower Mainland municipalities that
would not have done so because they are under no obligation to make
that proactive disclosure. This needs to be praised,” he said.

The full list of services that made use of the webform:

- Request for service
- Contact us
- Order recycling boxes or bags
- Feedback on Council initiatives such as the OCP, Arts & Culture
Strategy and Proposed Tree Bylaw
- RSVP to a World Café for the Arts & Culture Strategy
- Applications for Community Day: parade, vendors or booths
- Student video contest submissions
- Student summer daycamp volunteers
- Volunteer application forms
- Venue rental requests
- Youth Appreciation Award nominations
- Community Awards nominations


More information about the BreachExchange mailing list