Cyber Incident Victim: Gouvernement du Québec
Date:
Nov 2022
Location:
Canada
Summary
The city of Westmount experienced a significant cyberattack attributed to the Lockbit hacker group, which claimed theft of 14 terabytes of data and threatened its release within two weeks. Municipal staff initially detected technical anomalies, prompting precautionary shutdowns of some systems, while external confirmation of the breach came via a journalist’s alert rather than direct communication from the attackers. Critical email services remained disrupted, though the city’s primary website functioned normally with a posted advisory about the outage. Response efforts involved collaboration with the Quebec Federation of Municipalities to address the incident, which notably lacked typical ransomware negotiation patterns despite the data exfiltration threat.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 13, 2022, the City of Westmount, Québec, experienced a significant cybersecurity incident involving unauthorized access to its systems. The Lockbit ransomware group publicly claimed responsibility for the attack, asserting they had exfiltrated approximately 14 terabytes of municipal data and threatened to release the stolen information within a two-week timeframe. Initial detection occurred when city staff observed technical anomalies during the week following the breach, though the organization first learned of the hackers' involvement through external notification—a La Presse journalist alerted Westmount’s head of information technology about Lockbit’s claim before any direct communication from the threat actors themselves. This deviation from typical ransomware engagement protocols, where attackers usually initiate contact with victims to demand payment, complicated early assessment efforts. Over the subsequent weekend, an employee reported additional system irregularities, prompting the city to proactively shut down affected machines as a containment measure.
The incident disrupted municipal email services, necessitating a public notification on Westmount’s operational website advising residents of the outage and redirecting them to telephone directories for departmental contacts. Operational impacts included prolonged email inaccessibility and potential exposure of sensitive administrative data, though the city’s primary webpage remained functional throughout the event. Westmount engaged the Québec Federation of Municipalities for technical support and incident response coordination, though specific remediation steps or forensic findings were not publicly disclosed. Lockbit’s data release deadline introduced reputational and operational risks associated with potential publication of stolen records, though no subsequent disclosure was confirmed in available reporting. Municipal operations continued with alternate communication channels while restoration efforts remained ongoing at the time of reporting.