[BreachExchange] City knew of massive cyber breach days before admitting it

Destry Winant destry at riskbasedsecurity.com
Fri Mar 8 10:32:51 EST 2019


Saint John officials waited three days before letting the public know
of a massive cyber breach that exposed the names and credit card
information of thousands of parking customers, documents show.

The municipality's official line is that it learned of a malware
attack on its parking fine server Dec. 21, 2018, in a pair of online
information technology news reports.

But documents obtained by CBC News show one of the reporters involved,
Howard Solomon of IT World, contacted the city by email Dec. 17 asking
for comment on the breach.

He followed up the next day with a link to a U.S.-based cyber security
blog, Gemini Advisory, that listed Saint John among dozens of cities

Was asked to call back later

The Gemini report even included the number of customers in Saint John
who were affected.

In correspondence with Solomon, city communications director Lisa
Caissie asks if he could call her two days later on Thursday, Dec. 20.

"The story is out today," replied Solomon. "I can't tell my editor the
story is going to be held two days."

The story described by Solomon was published online Dec. 18, by city
IT staffers only read the article — which singled out the city for
special mention — on Dec. 21.

Stuck to Dec. 21 date

That date has been used repeatedly by city staff in referencing the
cyber attack both in internal emails, a document presented to council,
and interviews with news media, including by Mayor Don Darling and
Stephanie Rackley-Roach, the city's director of corporate performance.

CBC reached Solomon in San Francisco, where the contributing writer to
IT World is attending a security conference.

He said he contacted the city to find out what staff knew about the
attack, when they found out, and what steps the municipality was
taking to alert customers whose personal and credit card information
had been exposed.

"The city never got back to me, which would suggest that they found
evidence that there was indeed a breach," said Solomon.

While the record shows Solomon informed the city of the cyber attack,
the city may not have immediately believed his information.

On Dec.19, the day following Solomon's exchange with Caissie, the city
received notice from CentralSquare Technologies, the Florida company
providing the Click2Gov parking server software, that there was no
problem with the system.

"Resolution: Checked Click2Gov server for evidence of malware/possible
breach, no evidence found of breach/malware," says the statement
signed only "Customer Support."

City questioned accuracy

Disbelief in the cyber breach continued even into the morning of Dec.
21 when Caissie sent an email to Gemini Advisory saying the
municipality had "concerns about the accuracy" of information reported
in the news story of the breach.

Stas Alforov, Gemini's director of research and development, responded
with a list of the names and addresses of 4,600 Saint John residents,
or "victims," uploaded from the city's server over a 16-month period
beginning July 2017.

Up to 6,000 users are believed to have been affected by the Saint John breach.

But even while staff were getting incorrect information from the
city's software support company, there is evidence they were informed
a month earlier of a malware problem with the municipal parking

User reported an issue

On Nov. 16, 2018, the city was contacted by Jason Landry, whose name,
while redacted in numerous emails released to CBC, remains unredacted
in at least one instance.

"My payment card was only just activated yesterday and only to pay my
parking ticket," wrote Landry. "My card number was leaked and used
three times last night for purchases in the U.K."

A followup internal email posted at 11:01 that night by Robert James,
the city's operations manager for IT infrastructure, said
CentralSquare checked the Saint John server and "see nothing out of
the ordinary and no sign of a breach."

CBC was unable to reach Landry on Tuesday.

The city took it's click2gov parking server offline Dec. 21 and a new
system is expected to put into operation during the second quarter of
the year.

A spokesperson said city staff are working on a response to a CBC
request for comment on documents obtained through a right to
information request.

Darling could not be reached for comment.

More information about the BreachExchange mailing list