The July security breach that rattled the computer cages of Maple Ridge was a spam affair.
“There’s a number of these kind of phishing schemes around,” said Christina Crabtree, manager of the District of Maple Ridge’s information technology department.
Maple Ridge sent warning e-mails and letters last week to residents who used the My Maple Ridge online services to pay their bills and permits, as well as to residents who paid their taxes through pre-authorized withdrawals.
The letters told people some of their information could have been stolen, such as bank account information. Credit card numbers or driver’s licence numbers were never at risk.
But after investigating, staff found that spamming, not scamming or theft, was the motivation.
The breach allowed the spam to be sent from the district’s servers, sometime on either July 15 or 16, to users of Apple devices in France.
“The source appeared to be a French domain and it looks like it was targeted to Apple users,” Crabtree said.
The message was written in French and had an “.fr” suffix on the address so that it seemed to come from a French domain.
“It’s just an illusion they were trying to create.”
“What we are pretty solid on, it was a 12-hour period that we were sending spam. We able to narrow that down with all the logs we have.”
The investigation shows little likelihood that personal data was accessed. There was no evidence of any data mining.
“We don’t see any evidence of anybody getting stuff.”
The spam software broke through district defences on July 2 and attached itself to one of the district’s servers. It wasn’t detected until July 21. That’s when staff shut down the systems. Residents were told a week later on July 26.
Crabtree said a security audit is underway following the incident, adding there are always ways to improve security. Perhaps more triggers can be added to the system, for example, that would inform when perimeters have been breached.
“We have a lot of that stuff in place already.
“I think there’s always ways you can improve.
“You’re always on defence mode.”
Crabtree began focusing on computers for 25 years, after graduating with a degree in psychology and sociology. She joined the district seven years ago, after managing the Windows system for SFU, and for the past year has been directing the district’s 15-person IT department.
As the world goes digital, companies and governments are torn between ensuring information is safe and providing convenient service via computer and the Internet.
Almost every service offered by the district, except those requiring a physical presence, has gone digital. People can apply for their homeowner grant for their property tax discount online, they can check the GIS mapping system and find the exact zoning for an address. They can obtain building permits and dog licences and register for swimming lessons.
Now, thanks to wireless, building inspectors can file their reports online without having to return to office, saving time and money.
Council business, from reports and display boards from open houses, to agendas and video recordings of public meetings are also on the website.
“That’s the balance right? People want to be able to have services,” says Crabtree. “They want to be able to register for classes at the Leisure Centre at midnight. They want to be able to make their payments online. Everybody is so busy. Online services is what people want. So you have to have the balance between supplying services that people need and that when you do, you’re providing them in a secure manner.”
And when there’s a risk, people have to be told, she added.
“You need to let people know if something happens.”
She was proud of the IT department’s response once the breach was found. The whole system was shut down until security was fixed.
Nevertheless, it took a week before the public was notified, while the breach wasn’t discovered two weeks after it happened.
Each time you add an online service is added, vulnerability increases.
It is a challenge and you have to keep working at it, she adds.
“You have to have the people working in the department that are reliable and good at their jobs and have the ability to do what they need to do.
“It’s not something you can do by yourself. You have to have a strong team of people with all sorts of different skills, security people, people who deal with applications, customer service side, programming side, infrastructure side – all working together.”
When Crabtree got into the business decades ago, e-mail was only internal and there was no Internet.
Now, it’s all virtual and cyber in a parallel universe where characters flit as digital ghosts. The thieves come from all places, she points out. Whereas hacking used to be done for bragging rights for prestige, there is now value in breaking into systems by stealing identification, technology, ideas and money.
“You’re all so exposed. Twenty-five years ago, we had to make sure the server was in a locked room.”