Cyber Incident Victim: City of Westmount
Date:
Nov 2022
Location:
Canada
Summary
A Québec municipality experienced a significant cyberattack involving the theft of 14 terabytes of data by the Lockbit hacker group, which threatened to release the information within two weeks. The breach was initially detected internally when an employee reported technical issues, prompting precautionary shutdowns of some systems, though the hackers’ claim of responsibility was first relayed to municipal IT staff by a journalist. Email services remained disrupted, with public communications directing inquiries to phone contacts while restoration efforts continued. The incident deviated from typical ransomware patterns as the attackers did not directly contact the victim, and external support was provided by provincial municipal authorities during the response.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-November 2022, the City of Westmount, Québec, experienced a significant cybersecurity incident attributed to the Lockbit ransomware group. City staff first detected technical anomalies during the week of November 13, though initial internal assessments did not immediately identify the full scope of the breach. The situation escalated when a journalist from La Presse contacted Westmount's head of information technology to report that Lockbit had publicly claimed responsibility for infiltrating municipal systems and exfiltrating approximately 14 terabytes of data. Contrary to typical ransomware operations, the city administration confirmed it had not received direct communication or ransom demands from the threat actors prior to this external notification. Over the subsequent weekend, an employee reported additional system irregularities, prompting the IT department to proactively shut down affected machines as a containment measure. The Quebec Federation of Municipalities provided technical assistance to Westmount throughout the incident response process.
The cyberattack caused substantial operational disruptions, particularly to municipal email services, which remained offline for multiple days. By November 20, the city's website displayed a public notice acknowledging the email outage while emphasizing that the web platform itself remained unaffected. Citizens were directed to telephone directories for departmental contacts as workarounds for critical communications. Lockbit threatened to publish the stolen data within a two-week timeframe, though the specific nature of the compromised information was not detailed in public municipal statements. Forensic investigations focused on determining the intrusion vector and evaluating potential data exposure across municipal networks. No restoration timelines or financial impacts were disclosed as response efforts continued with external cybersecurity support.