Cyber Incident Victim: City of Cold Lake
Date:
Jul 2024
Location:
Canada
Summary
The City of Cold Lake experienced a cyber attack involving system encryption and ransom demands, prompting immediate recovery efforts focused on restoring services after confirming no compromise of personal or sensitive data. Phone lines were partially restored with limited capacity at key facilities, while affected servers were brought back online in isolated environments to monitor operational stability. Recovery procedures included verifying the integrity of on- and off-site backups protected by firewalls, alongside daily manually stored backups. Officials withheld specific attack details to avoid disrupting restoration efforts, acknowledging ongoing public patience as full recovery continues to require significant time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 23, 2024, the City of Cold Lake experienced a cyber attack that encrypted portions of its systems and rendered them inaccessible through ransomware. The attack prompted immediate operational disruptions, though city officials confirmed upon initial assessment that personal data and sensitive information remained uncompromised. Chief Administrative Officer Kevin Nagoya prioritized service restoration following this determination, publicly affirming continued municipal operations despite technical challenges. Phone communications at City Hall and the Energy Centre were partially restored through call-forwarding arrangements, though only one line became operational per facility, creating potential call congestion during peak hours. The city advised residents encountering voicemail during business hours to redial, acknowledging persistent limitations in communication capacity. Nagoya emphasized public patience during the extended recovery period, noting full operational restoration would require significant time despite ongoing efforts.
Recovery operations involved systematically reactivating isolated server environments to monitor system stability and data integrity before full reintegration. Municipal IT teams evaluated both on-site and off-site backup systems—protected by firewalls and maintained through daily manual backups—to verify their security before reintroduction to the network. The city deliberately withheld technical details regarding the attack vector and perpetrator to avoid jeopardizing restoration activities. No ransom payment status or negotiation details were disclosed. Continuous public updates were promised as recovery progressed, with services gradually returning through controlled server reactivations. Operational adjustments remained in effect indefinitely while infrastructure verification and security protocols continued.