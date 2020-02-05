Over the Christmas season, the municipality of Summerland’s utility website was hacked. No damage was done. The site was quickly restored.
“There was a vulnerability found and patched by the utility system provider,” explained Karen Needham, Summer-land’s director of corporate services.
But other cities and public agencies around the continent have suffered major damage from hacking, particularly from a form known as ransomware. Hackers encrypt documents in a computer system and demand a ransom to free it. Some cities pay. Some don’t, but pay much more to repair their systems.
Baltimore, Maryland, refused to pay a $75,000 ransom demand last year. The city estimated costs to repair damage done to its systems was $18 million.
In 2018, Midland and Wasaga Beach, Ont., paid $76,000 and $34,000 in ransom to get access to their systems back. Midland, at least, had an insurance policy to cover the costs. Summerland has a policy too, although when asked what Summerland would do if hit with a ransomware attack, Needham noted: “There would be many variables involved before a decision would be made.”
Lifelabs, a medical testing company with 15 million clients, mostly in B.C. and Ontario, paid an undisclosed ransom to unlock its computer systems last fall. LifeLabs said the compromised database included health card numbers, names, email addresses, passwords and dates of birth.
Saskatchewan eHealth’s system was hit, but not crippled, by a ransomware attack in December.
In an announcement that the B.C. and Ontario privacy commissioners would investigate the LifeLabs hack, Ontario’s information and privacy commissioner Brian Beamish said: “Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”
So, what are local municipalities and public agencies doing to protect your data?
A lot, as it turns out, but is it enough?
“We have confidence in the security systems we have put in place, but hackers are always coming up with new and creative ways of attack,” said Brian Abrey, infrastructure systems manager with the City of Kelowna. “Every organization is susceptible to an intrusion, despite best efforts, but we are definitely keeping up with best practices on how to maintain security.”
Constant vigilance is required to keep computer systems safe, say the people in charge of local government systems.
We take a look at the cybersecurity measures local governments in the Okanagan are taking in the feature below.
Data protection a round-the-clock job
Don’t worry Okanagan residents. The confidential, personal information local governments and public agencies have on you is perfectly safe and will never fall into nefarious hands.
Well sure, that’s the message local municipalities, Interior Health and school districts would like to tell you. And you wouldn’t believe them if they did.
For years, we’ve been hearing about large private companies being hacked and their customers’ information being stolen or made public.
More ominously perhaps, public agencies and local governments are being hit with ransomware demands and other cyberattacks lately.
So how safe are the systems of our local governments and agencies here in the Okanagan?
Cybercrime is “constant threat and no systems or organizations are completely immune from cybercrime,” acknowledged Mark Braidwood, Interior Health’s director of information technology, and information privacy and security.
While local organizations can’t promise they’ll never be hacked, the efforts they’re making to prevent it are considerable. A big part of that is training staff to do its part to keep intruders out.
“More than half of the risk is associated with human behaviour,” said Jon Rever assistant superintendent with Central Okanagan Public Schools.
In other words, most cybercriminals still rely on a human mistake to help them get into a system.
In perhaps the most famous hack of them all, that’s how the Russians got into the Democratic party’s emails in the 2016 U.S. election campaign, revealing embarrassing emails that likely helped Donald Trump win the election.
They got someone in the party to bite on a phishing email and open something he or she shouldn’t have. This gave the Russians access “to hundreds of thousands of documents from the compromised email accounts and networks,” which they turned over to Wikileaks and other document-spilling websites, according to special investigator Robert Mueller’s report.
Local governments train their staff members not to open phishing emails.
“We developed and maintain a comprehensive cybersecurity education and awareness program to ensure that we have the best possible protection against human behaviour. This training includes regularly sharing current information as well as running training modules and simulations,” said Rever.
The school district has planned a simulation in which a fake phishing email would be sent to all staff. Its arrival shouldn’t be a surprise. Staff was notified it’s coming.
Staff training is ongoing at Interior Health, too: “IH runs regular education exercises with all staff to ensure they have an awareness of phishing risk, how to recognize it, and take appropriate actions,” said Braidwood. “Staff at all levels are required to complete annual online information privacy and security training.”
Everyone hired by the City of Vernon takes cybersecurity training.
“Every person who joins the organization is required to go through training in order to help protect our system and identify potential threats while using the network,” said communications manager Christy Poirier. “Specific policies and procedures have been put in place to guard against cyberattacks and to help staff understand the seriousness of protecting the information on our network.”
“We are doing corporate-wide cyber security training to give staff the tools to be able to identify phishing emails and deal with them appropriately,” said Brian Abrey, the City of Kelowna’s infrastructure systems manager
Of course, having up-to-date hardware and software matters too.
“Keeping software up to date is an important part of prevention,” said Abrey. “We employ state-of-the-art firewalls, email filters, web filters, software update strategies, backup strategies, password policies and antivirus protection.
“We have undertaken multiple third-party security audits to identify gaps and weaknesses, and then taken action to address them,” he said.
At the Central Okanagan school district, “monitoring, assessing, reporting, and recommending on potential cybersecurity threats are a daily part of our IT operations,” Rever said.
“We work closely with the Ministry of Education and a number of cybersecurity providers to deploy state-of-the-art and industry standard security technology across all network systems and devices,” said Rever. “We have been working on our privacy and cybersecurity strategy for three years,” he said.
That three-year effort began following a brief hack of the district’s phone system from Africa and the Ministry of Education insisting school districts improve their cybersecurity. The district now has an advisory council on privacy and cybersecurity as well as an ongoing education and awareness program.
Over at Interior Health, “IH maintains an information security team and staff dedicated to an information security program and continues to invest in resources to maintain and improve our environment relative to cybersecurity threat. We follow industry best practice for cyber defences,” said Braidwood.
IH, too, is in regular contact with other agencies about cybersecurity.
Constant upgrades are also standard at the City of Vernon.
“As the world becomes more connected online, the city pays close attention to new digital threats and makes adjustments as necessary to protect information and the security of our network,” said Poirier.
Karen Needham, director of corporate services at Summerland, said upgrades are constant. Measures include up-to-date firewalls and anti-spam software.
Summerland also limits how much personal information it collects. Needham noted privacy laws require all personal information must be stored in Canada.
So what to do in the event of an attack? Would public authorities pay a ransom?
Rever said the school district has protocols for responding to various potential incidents, but “every scenario is unique, which is why we have multiple protocols to respond to particular issues. There is no uniform answer for these questions.”
Braidwood notes IH and the province have yet to face a ransomware demand. To hopefully prevent ever getting one, “IH runs regular education exercises with all staff to ensure they have an awareness of phishing risk, how to recognize it and take appropriate actions.”
Abrey said the best defence against ransomware is to prevent an attack. The next best defence is to back up your data.
“Speaking generally, we depend on all of the various levels of security we have in place to help prevent an attack from occurring. The next best protection against a ransomware attack is to have good backups that can be used to restore data after the virus has been identified and killed.”
“We have backups to restore our data,” said Needham. She also said Summerland follows protocols from the Office of the Privacy Commissioner to address any breaches of privacy.
Some local organizations want the public know about the efforts they’re making on cybersecurity, but others were reluctant to talk about it.
“I would love to let our community members know about the work we are doing ensure the safety of students, parents and staff in addition to protecting their privacy and personal information,” said Rever in an email to The Okanagan Weekend.
Vernon school district didn’t want to reveal too much.
"We do not want to divulge too much information on the type of protection the school district has in place. We can confirm we have significant processes in place to protect the district from hackers, SPAM and ransomware attacks. Our system is monitored daily and staff is reminded to be diligent of questionable emails," said spokeswoman Maritza Reilly in an email response.
West Kelowna and Penticton responded to our questions with essentially no comment. The Okanagan-Skaha school district didn’t respond to emailed requests for information.
QUICK QUOTES
“We live in a digital age. Research has shown that many people spend as much time online as they do offline, conducting both personal and business transactions. With this, digital attacks such as hacking, ransomware and phishing scams are prevalent across the globe. Every computer around the world that is connected to the internet is vulnerable is some capacity.”
— Christy Poirier, communications manager,
City of Vernon
“We are following new developments in security strategy and compromise very closely. We are notified of attacks by some of the security agencies and groups we are a part of, as well as through the media. We look at attack vectors used and ensure that we have done everything we can to protect our-selves from something similar.
— Brian Abrey, infrastructure systems manager, City of Kelowna
We work closely with the Ministry of Education and a number of cybersecurity providers to deploy state-of-the-art and industry-standard security technology across all network systems and devices. Again, our planning and processes are very thorough so that we reduce technological risk and educate our users to reduce the risk of human error.
— Jon Rever, assistant superintendent, Central Okanagan Public Schools
IH takes our obligation to protect the personal health information of our patients and clients very seriously, and keeping IH systems and software up to date is part of a broader information security program that helps reduce the risk of cyber threats.
— Mark Braidwood, Interior Health director of information technology, and information privacy and security
RANSOMWARE
Here’s what Norton, one of the best known computer anti-virus companies, says about ransomware: “The idea behind ransomware, a form of malicious software, is simple: Lock and encrypt a victim’s computer or device data, then demand a ransom to restore access. Ransomware holds your personal files hostage. Those files are still on your computer, but the malware has encrypted your device, making the data stored on your computer or mobile device inaccessible. “In many cases, the victim must pay the cybercriminal within a set amount of time or risk losing access forever … Paying the ransom doesn’t ensure access will be restored.
PHISHING
And here’s some of what Norton says about phishing:
“Ever get an email that looks like it’s from your bank warning you that it will freeze your checking account unless you verify your personal information? These emails never come from your actual bank. Such emails are an example of phishing, an effort by scammers to trick you into giving up personal information that they can then use to access your bank accounts or credit cards. “PayPal, credit card companies, mortgage lenders and banks will never contact you by email to request any personal information from you. Instead of clicking on links in emails, log into your account on your own.”
— Source: us.norton.com
CYBERBREACHES
Some recent examples of hacking and ransomware that have affected governments and public agencies.
Baltimore, Maryland
On May 7 last year, city computer systems were hacked with a ransomware program known as RobbinHood. Baltimore refused the hacker’s demand for US$75,000 in bitcoin. Costs to repair the damage totalled $18 million, which the city said was a combination of lost or delayed revenue and costs to restore and upgrade computer systems.
Midland, Ont.
On Labour Day weekend in 2018, the town’s computer system was hit with a ransomware virus. Midland paid approximately $76,000 in bitcoin to regain access to its system after about seven weeks. The town had an insurance policy in the event of such an attack, according to the Midland Mirror.
Wasaga Beach, Ont.
The town’s computer system was down for several weeks before it paid a ransom of about $34,000, according to the Midland Mirror. Other costs, including loss of productivity, new hardware and consultant fees, were estimated at $250,000.
Saskatchewan eHealth
The computer system that stores medical data of Saskatchewan residents was hit by a ransomware attack on the last Sunday of 2019. In a statement, eHealth said staff isolated the virus and prevented it from getting into the whole system. Repairs continue, but patient data wasn’t affected, the CEO said.
Canada Post
Customers with online accounts were asked to reset their passwords in October.
“There has not been a cyberattack or breach of the Canada Post network but we are investigating a report that some customer information may have been compromised in 2017,” the post office wrote to customers.
“We have been able to determine that login and password credentials stolen in external privacy breaches unrelated to Canada Post were used to access individual Canada Post accounts. This is possible when users reuse their credentials on several websites for convenience or to avoid having to remember different passwords.”
New Orleans
A cyberattack knocked out most of the city’s computer systems on Dec. 13 as a tax payment deadline approached. Three weeks later, a temporary system had been set up to accept tax payments. The system has since been repaired, but nola.com reported: “about one in five computers were so compromised by the attack that they will have to be replaced, officials have said.”
Jackson County, Georgia
The 911 dispatch centre went dark, jail doors wouldn’t open and sheriff’s deputies couldn’t access their laptops after a ransomware attack in October, The Associated Press reported. Jackson County paid $400,000 to obtain a decryption code, county manager Kevin Poe said.
Major hacking and ransomware cases in the private sector.
LifeLabs
A medical services company with 15 million customers in B.C. and Ontario paid a ransom to unlock its computer systems late last year. LifeLabs said the compromised data included health card numbers, names, email addresses, login, passwords, dates of birth and some medical test results in Ontario.
Equifax
In 2017, the personal information and credit card details of some 143 million Americans, 400,000 Britons and 19,000 Canadians were compromised in a cyberattack. Class-action lawsuits have been filed.
Travelex
A data breach was revealed New Year’s Eve when the currency-exchange company went off-line, affecting the ability of some banks to provide foreign currencies to their customers. A hacker group called Sodinokibi demanded $6 million. Travelex said later it contained the virus and no customer data had been breached
TransUnion
TransUnion, a credit monitoring firm similar to Equifax, said someone accessed its data by using a business customer's login, compromising personal information of about 37,000 Canadians, The Canadian Press reported in October.
Other financial breaches
Capital One said in July data of six million Canadians was hacked, including about a million social insurance numbers. Desjardins said in June the data of about 2.7 million accounts was breached, The Canadian Press reported.
Heritage Company, Arkansas
A U.S. fundraising firm closed its doors and laid off 300 workers following a ransomware attack in October. The company paid the ransom, but still couldn’t get its computer system up and running.
