Skip to content

Updated: WV municipality's data breached

District says data not copied in unauthorized access to server

THOUSANDS of West Vancouver residents who use the districts website service to pay bills, apply for licences or do other municipal business may have had their personal information compromised.

District staff put out a press release Wednesday afternoon informing the public of an "unauthorized access" to a server containing personal data related to pre-authorized payments plans for taxes and utilities, and the MyDistrict municipal services portal.

That server include names, addresses and bank account numbers but it does not store credit card, debit, social insurance or drivers licence information, according to the district.

So far, it does not appear any of the information was logged or copied elsewhere, according to acting director of communications Donna Powers.

"We want to get this out into the public even though we have no reason to believe that anybodys personal information has been compromised. We want to be as transparent as possible," Powers said.

The breach appears to have come from a weak spot in the security of the Cold Fusion software the district licenses from Adobe. District staff shut down their server and on July 22 after learning that a similar problem had arisen with the District of Maple Ridge and the City of Abbotsford, both of which use Cold Fusion for similar services.

Adobe provided a software patch to fix the security hole, but vendors should have been made aware, said Donna Crestwell, the districts manager of information technology services, similar to how auto manufacturers would be expected to issue a recall notice when a widespread problem is found in a production run of vehicles.

Now the district has hired a software security expert at $2,000 a day to audit the server and determine exactly what happened in the breach, but an early review doesnt indicate personal data has been stolen.

"They did an audit of the server and they found there had been access to the server but they couldnt find any evidence that the personal information stored on that server had been touched," Crestwell said.

The audit should take two days, and will be followed up with a report by the consultant.

About 5,000 people are signed up for the MyDistrict service and another 3,200 are set up for pre-authorized tax payments and 3,200 for utility payments though those groups overlap heavily, Powers said.

Anyone who has signed up for the services has been notified via email, where possible and others, for whom the district does not have an email address, will be notified by mail shortly. In the meantime, anyone who has registered with any of the districts online services should log in and change their passwords and keep an eye on their bank accounts for any suspicious activity, which is good practice today, regardless of the West Vancouver breach, Powers said.

Mayor Michael Smith stressed that it was an outside companys software that failed, and that so far, there appears to be no damage done.

"Its unfortunate and we obviously take it very seriously. When people trust the municipality with their information, we take every step we can to make sure that its kept confidential," said Mayor Michael Smith.

Correction: An earlier version of this story incorrectly stated that the faulty software was licensed through Tempest Development. This is not the case. Tempest Development makes software that runs on top of the faulty Cold Fusion software.