Cyber Incident Victim: City of Regina

On October 5, 2018, the City of Regina disclosed that an employee email account had been compromised and used to conduct phishing attacks targeting other city staff and external contacts. The attackers leveraged the breached email to harvest additional passwords and email addresses, though the city asserted no data beyond one employee's email contact list appeared compromised. Cybersecurity consultant Russell Stephanson challenged this assessment, noting municipal systems often store sensitive resident information including names, addresses, and payment details for services like parking ticket or utility bill payments. He expressed skepticism about the city's ability to fully ascertain the breach scope, suggesting attackers could have accessed broader mailing lists or databases. The city declined to provide specifics about the intrusion method or timeline but emphasized cybersecurity as an organizational priority in a prepared statement.

Independent analysis by Stephanson revealed significant security deficiencies in Regina's municipal web infrastructure. Using only publicly available tools, he identified thirty vulnerabilities, including flaws enabling attackers to bypass existing security measures. The city's aging digital systems compounded these risks according to University of Regina technology professional Alec Couros, who noted older government infrastructure tends to be more exploitable. A planned website redesign scheduled for spring 2019 completion did not include security enhancements according to city documentation. Both experts highlighted systemic issues, with Stephanson describing Regina's security practices as "far below standard" despite no evidence of negligence, while Couros stressed the need for public education on recognizing social engineering threats alongside technological investments. The city maintained no evidence of resident data compromise beyond the initial email breach.