Cyber Incident Victim: West Vancouver
Date:
Jul 2018
Location:
Canada
Summary
Hackers installed malware on a municipal server hosting webforms used for various resident services, potentially compromising personal information such as names, addresses, phone numbers, email addresses, and IP addresses. The breach was detected after suspicious activity prompted forensic investigations, leading to malware removal and eventual shutdown of all webforms. While financial data remained unaffected due to separate storage, the district acknowledged uncertainty regarding whether attackers accessed stored information. Approximately 4,870 submissions dating back several years were exposed, primarily through forms for service requests, volunteer applications, and student contests. The municipality issued a public warning but limited direct notifications to minors involved in specific programs containing sensitive details like school grades. Security enhancements included restricting remote administrator access and revising webform usage practices. This incident followed a prior breach linked to inadequate software updates, highlighting ongoing cybersecurity challenges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 31, 2018, West Vancouver district staff detected suspicious activity on a server hosting webforms used to collect resident information. A forensic investigation revealed malware installed on the server, which stored personal data submitted through online forms since 2013. District spokeswoman Donna Powers confirmed the server contained names, addresses, phone numbers, email addresses, and IP addresses from approximately 4,870 submissions across services including pothole repair requests, volunteer applications, venue rentals, and student contests. Financial and tax data remained unaffected as it resided on a separate system. Staff removed the malware initially but discovered additional malicious software during a follow-up inspection on August 4, prompting the immediate shutdown of all webform services. The district could not definitively determine whether attackers accessed resident data, citing no observable contact between the malware and stored information. Consequently, West Vancouver did not report the incident to British Columbia’s Office of the Information and Privacy Commissioner, as no evidence confirmed unauthorized data exfiltration.
The district issued a public website advisory about the potential breach but opted against direct notifications for most affected individuals, except for minors who had participated in activities like student video contests or summer camp volunteer programs. These submissions contained sensitive details including school names and grades, prompting personalized phone and email alerts to guardians. Historical context revealed a 2013 breach of the MyDistrict payment portal, though no data theft occurred in that incident. Cybersecurity expert George Pajari, who obtained prior breach documents through freedom of information requests, criticized the district’s historical lack of software updates and security patches, calling their previous preparedness inadequate. West Vancouver implemented immediate security enhancements including restrictions on remote administrator logins and plans to redesign webform usage despite anticipated operational inconveniences. The malware’s presence created risks of identity theft or targeted scams, leading officials to advise heightened vigilance among residents. Affected services encompassed 11 categories ranging from recycling box orders to municipal feedback submissions, all hosted on the compromised webform server.