A British Columbia municipality is warning residents that some of their personal information may be in the hands of hackers after the compromise of the city’s email system.
Richmond, a city of about 231,000 in the greater Vancouver area, gave that warning last week after learning fraudulent emails were being sent in June from individuals claiming to be members of the municipality’s staff or the city-owned Gateway Theatre. This related to the discovery on June 7th of what the city calls “unusual and concerning activity in its information technology environment.”
“While the city is unable to ascertain the exact types of personal information impacted by the attack, we are proceeding on the premise that some users may have shared personal information in their email communications with the city or Gateway Theatre,” the municipality said in a statement on its website. “This could include facility and program participant information such as contact details and birth dates; permit and licence applicant information such as home addresses and telephone numbers; among other types of personal information which may be submitted by the public through the course of routine business.
“Because the fraudulent email messages may contain a fake PDF file attachment or a link to a website that may be used to spread malware to harm your device and/or computer network, residents are urged not to click on any attachments or links in suspect emails.”
All official city or Gateway Theatre communications will only come from an official @richmond.ca or @gatewaytheatre.com e-mail address, the statement emphasizes.
“There is no indication the attack accessed the city’s financial or human resources data, or any other enterprise systems or databases,” the statement adds. “City operations have not been impacted and business continues as normal.”
The attack has been reported to the RCMP and the Office of the Information and Privacy Commission of B.C..
Experts warn that attackers don’t have to break into an organization’s files servers to get valuable information. Sometimes customers include personal information in emails to organizations. In addition staff may send sensitive personal and corporate information to each other either in messages or attachments. Hackers may also take advantage of their access to an email system to send malicious email from an employee so it looks legitimate, or insert themselves into an email conversation to get information. For these reasons access to email systems have to be protected with multi-factor authentication, and, if necessary, encryption.