West Vancouver is warning thousands of its residents after discovering hackers installed malicious software on the district server used to store personal information collected through its website.
District staff first noticed something suspicious on July 31. A forensic search found malware installed on its server used for collecting information from online “webforms.” The malware was quickly cleaned and deleted but when staff searched again on Aug. 4, they found more of a similar type and pulled the plug on all its webforms.
The district estimates roughly 4,870 forms have been filled out by residents since 2013 for everything from requesting a pothole be filled to applying for volunteer positions, according to District of West Vancouver spokeswoman Donna Powers.
There is no way of knowing for sure if the people who installed the illegal software actually got ahold of the district residents’ names, addresses, phone numbers, email addresses, and IP addresses stored on the server. (Resident's financial and tax data is stored on a separate server not affected by the breach.)
“I think what we can say is there was malware on the same database server that contained personal information. We can’t see that the two ever came in contact but we have no way of, for certain, ruling it out,” Powers said.
Because there is no definitive proof that sensitive data was accessed, the district hasn’t notified the province’s Office of the Information and Privacy Commissioner, Powers said.
The district has posted a warning about the potential breach on its website but there are no plans to directly contact all 4,870 people whose information may be at risk. There will be an exception, however, for people who were minors at the time they used the webform. These include online entries for a student video contest, that contained more sensitive personal information “that in hindsight, maybe we could have avoided putting there, like their grade and their school,” Powers said.
Those minors or their legal guardians will be contacted by phone and email, Powers said.
In the wrong hands, the personal information could be used to target residents for scams or identity theft.
“We just want to reinforce that all you can really do is be aware. If someone approaches you, whether it’s online or by telephone and you don’t know who they are, you need to be cautious,” Powers said. “If it seems suspicious, it probably is.”
The district is now making moves to harden its security, including preventing website administrators from logging in remotely and the district will not be using webforms in the same fashion in the future.
“It is going to reduce convenience both on the part of residents and on staff,” she said. “We’re going to find that balance.”
In 2013, the district discovered its MyDistrict service, which residents use to pay bills and set up preauthorized payments for taxes and utilities, had been compromised. In that case, no one’s data was stolen.
“The district does everything that we can to prevent this from happening. But we’re really not alone in this… it’s a global phenomenon and it’s all too common and there’s not a lot we can do,” Powers said, noting that hackers are constantly devising new ways to attack internet vulnerabilities.
Whether the breach was preventable or not though is up for debate, according to West Vancouver resident and cyber security expert George Pajari.
“It’s two breaches more than I’ve had. I run a system serving 16-million users,” said Pajari, who is the chief information security officer for a major Vancouver-based tech firm. “It’s entirely possible this was unavoidable but highly unlikely. I can’t tell you the last time I studied a breach that was unavoidable.”
Documents released to Pajari under a freedom of information request following the 2013 breach concluded district IT staff hadn’t been installing regular updates and security patches.
“It was obvious the district was completely unprepared. It was a disaster waiting to happen. They hadn’t taken what I would consider the absolute basic steps to protect the information they were holding,” he said. “Not only had they not subscribed to receive notification of the patches from the vendor, they hadn’t updated their software for months and months so they got knocked off.”
Pajari has already filed an extensive freedom of information request with the district, seeking a full accounting of the latest breach.
“It’s snap-on-the-rubber-gloves time,” he said.
It was the right move by the district to warn residents, Pajari added.
“I can think that there are many Lower Mainland municipalities that would not have done so because they are under no obligation to make that proactive disclosure. This needs to be praised,” he said.
The full list of services that made use of the webform:
- Request for service
- Contact us
- Order recycling boxes or bags
- Feedback on Council initiatives such as the OCP, Arts & Culture Strategy and Proposed Tree Bylaw
- RSVP to a World Café for the Arts & Culture Strategy
- Applications for Community Day: parade, vendors or booths
- Student video contest submissions
- Student summer daycamp volunteers
- Volunteer application forms
- Venue rental requests
- Youth Appreciation Award nominations
- Community Awards nominations\
This story has been updated to clarify that only the server used to host the district's website was affected.