Cyberattacks on municipalities have cost taxpayers a reported $379 million since 2020

POV hacker cyberattack typing on a keyboard Photo by PabloLagarto/Shutterstock

In December 2019, an employee at the municipality of WestLake-Gladstone in Manitoba clicked a malicious link in a fraudulent email, triggering a series of cyberattacks that led to the municipality losing over $450,000.

In November 2020, Saint John, N.B. paid $2.9 million to overhaul its website after fraudsters got a hold of the municipality’s network.

In January 2021, Durham Region, Ont., had several gigabytes of personal data stolen and ransomed.

The list goes on—Wasaga Beach, Ont., Midland, Ont., Stratford, Ont., and other municipalities have all been targeted by cyberattacks within the last four years. Between 2020 and 2021, scams and fraud jumped 130 per cent, with Canadians losing a reported $379 million, according to the Canadian Anti-Fraud Centre (CAFC).

“Municipalities are a very good target for bad guys,” says Ali Ghorbani, a cyber security professor at the University of New Brunswick and the director of the Canadian Institute for Cyber Security.

The reason municipalities are so attractive, Ghorbani says, is that they’re dealing with sums of money far more substantial than an individual, often reaching into the millions. They also store citizens’ private data through bylaw, permitting, and other services.

The most common attack is through ransomware, Ghorbani says. Fraudsters gain access to a municipality’s network through social engineering, which involves manipulating someone into performing an act or divulging confidential information.

Phishing scams fall under this category. An employee within the municipality will receive an email from a seemingly trustworthy source. The email will contain a link. When the employee clicks on the link, ransomware is installed on the municipality’s network.

“They’re establishing admin access to the infrastructure, and then they take over the data and encrypt it so no one else can open it,” Ghorbani says.

The fraudsters then hold this private data ransom, threatening to release it unless the municipality pays them a sum of money. It’s the same technique fraudsters use to target individuals, but with higher stakes.

“The municipalities often have no choice but to give in to the ransom attackers and pay for the data to be released,” Ghorbani says. “It’s not like with one person who may decide, ‘I’m not paying this amount.’ Municipalities have an obligation to bring back the data.”

In WestLake-Gladstone, the fraudsters got inside the municipality’s system through a phishing scam and started draining bank accounts, converting the money into Bitcoin and making it disappear. In Saint John, fraudsters froze all services on the municipality’s website, demanding $17 million in Bitcoin to release the network. In Durham Region, fraudsters got in through the municipality’s use of Accellion File Transfer Appliance software, a product that lead to a mass spree of cyberattacks around the world.

Each of these municipalities would have had a set of cyber security protocols, but they failed. In Canada, there aren’t any blanket cyber security rules municipalities are mandated to follow. The Association of Municipalities Ontario (AMO) offers a cyber security toolkit, providing advice and highlighting key security considerations. But the degree of protection falls to the municipality.

This can prove problematic for rural municipalities. A municipality like WestLake-Gladstone will have a much smaller budget than an urban centre like Toronto, meaning it has less money to spend on cyber security. Tech talent also tends to flock to jobs in big cities, forcing rural municipalities to pay more to attract experts. “There’s no IT or expert capacity in those areas,” Ghorbani says.

But this doesn’t mean rural governments have to be left unprotected. For tight-budgeted municipalities looking to enhance their online defences, Ghorbani suggests sharing the cost of hiring a cyber security expert with other nearby municipalities. “They share fire trucks when there is a fire, why don’t they share when it comes to cybersecurity?” he says. Two or three nearby municipalities could pool their resources to have an expert come in for several months to overhaul their IT department and make sure their infrastructure is up to date.

Education is another key deterrent. Training municipal staff and citizens can make a big difference, Ghorbani says. “Then they have informed employees that use their system properly.”

To educate staff and citizens, Ghorbani recommends publishing education tips on the municipality’s website and offering a workshop every few months on how to stay safe.

“Municipalities shouldn’t have the mindset that they’re small, so they’re not going to spend money on doing anything because they may not be a target,” Ghorbani says. “They miss the point that bad guys don’t really care. They take whatever they can. In fact, a smaller fish is more attractive to them because it’s less publicity than attacking a big fish.”

Featured Video