[BreachExchange] Saint John will rebuild from scratch after cyberattack, cover costs from reserves

Fri Jan 15 10:43:37 EST 2021

https://www.cbc.ca/news/canada/new-brunswick/saint-john-cyberattack-ransomware-recovery-1.5869499

The City of Saint John will pay to build a brand new network after its
systems were taken hostage in a cyberattack, but it won't be cutting
services to do so.

The city was hacked on Nov. 13 of last year and has been trying to
recover, incrementally returning email and phone services to employees
and pivoting to different payment methods for parking and building
permits.

In his regular update to common council Monday, city manager John
Collin dispelled a rumour that the city has already paid a ransom to
the hackers, and confirmed the city will rebuild its network from
scratch instead of recovering what it's lost.

"Our analysis has confirmed that the degree of penetration of the
virus was indeed extensive," he told council.

Because of this and "several other reasons," Collin said repairing the
system is not the best choice.

Cyberattack on Saint John could push up city's insurance costs even more

Saint John should share details of ransomware attack, cybersecurity expert says

Collin said this will prevent the risk of any virus remnants staying
in the system. He said this route "will take time;" the rebuilding
will likely take until April or May if all goes well.

"I must tell you that to rebuild everything over a four- to six-month
period is still very ambitious," he said.

The city has been relying on a temporary workaround to pay employees
and is operating a temporary website.

It's not clear exactly how much this cyberattack will cost the city at
the end, Collin said, and he won't share an approximate number.

"Although we can approximate some of the public costs, we are not yet
ready to describe the entire cost in detail," he said. "We will return
to council with the exact cost to the public once they are confirmed."

He said the city will have to pay insurance deductibles, but insurance
will cover the cost of restoring the city's "previous capabilities."

When the city rebuilds, however, it plans to make improvements, which
will come out of the city's IT reserves. He said the cost will not
force the city to revisit its budget.

Public will know if city pays ransom

Collin said if the city decided to pay a ransom, it would be a council
decision and would be made publicly.

"I will not say any more at this time, since we must not give any
valuable information to those who have attacked us," he said.

Saint John should share details of ransomware attack, cybersecurity expert says

He said almost all municipal services will continue to be offered,
including fire and police.

The city is still working on restoring metered water bills, which are
expected to start being delivered again this week. The city is also
limited in issuing parking tickets and providing land transaction
services.

City still not sharing certain information

Exactly what it has lost is still not clear. The city has not shared
many details about who the attackers were and exactly what information
was compromised. Collin said this is intentional.

"We do not divulge information that could be useful to those who
attacked us. This includes giving them nothing on what systems they
successfully compromised, how we contain the virus or how we are
mitigating against potential future attacks."

He also said police are invetsigating the "hostile actors" but did not
say which agency.

While the city won't share some information, it has advised residents
to keep an eye out on their bank accounts and watch for suspicious
activity. A cybersecurity firm previously told CBC it hasn't found
payment card data from the City of Saint John in the dark web.

Collin said Monday that the city hired experts from the private sector
for a forensic analysis to find out if information such as residents'
credit card information or social insurance numbers were compromised.

"Although we have yet to receive the final report, indications so far
are that no [personal identifying information] has been leaked or
stolen," he said.

"We do not expect this to change in the final parts of the forensic analysis."

Collin said the city doesn't keep a lot of personal information on hand.

"Most of our needs are satisfied through cloud-based applications.
Therefore, we do not store this information within our networks," he
said.

Collin said immediately shutting down the network to stop the spread
of the virus seems to have stopped the virus from spreading to other
networks.

"We have no indications whatsoever that there was any spread of the
ransomware from any city-owned assets or systems to others," he said.

Councillors did not have any questions for Collin after his cyberattack update.