District of Squamish says it fell victim to a phishing attempt last year, when an employee received and acted upon a fraudulent email from an outside entity.
District lost $5,000 in this successful phishing attempt, most of which the district says it has recovered.
The fraud was reported in the district’s annual consolidated financial statement, which was prepared by BDO Canada LLP, and was recently presented to council.
The district divulged the details after a query by the Squamish Reporter.
The district said it had upgraded their cyber security systems following the attack.
“Since this situation, the district has updated its spam protection service, reviewed and updated departmental processes, checks and balances to ensure transaction requests are verified, and has an ongoing focus on staff training,” said Conrad Kordel, Director of Information Technology.
Kordel said it was worth noting that phishing emails were received by businesses and organizations every day, including by the District.
“Government organizations, in particular, are targets because of the need to keep operations running 24/7 and cyber criminals know and use that to their advantage,” Kordel said.
Kordel said the district’s security goal was to protect systems and information across its large, virtual area, and make future attacks “non-events”. He said district had taken many steps over the year to improve network security and built up network threat protection.
A new IT role focusing on network security is also being funded in the 2020 budget, and the job for a Manager of IT Security and Infrastructure has been posted.
District was also targeted with a ransomware IT system attack this February, which it didn’t reveal to the public until after a media query by the Squamish Reporter.
The district said it didn’t pay any ransom money in that attack and most systems were back up and running with minimal data loss.
According to Kordel, the district reports cyber-attacks to the RCMP, the Office of the Chief Information Officer of BC, and in the phishing scam, to the Fraud Investigation Team at Scotiabank.
If the personal information of citizens was compromised, citizens would be notified, he added.
“As with other security-related scenarios, careful consideration needs to be applied to weigh the responsible sharing of information to meet our goals of being transparent with the community, while protecting security systems and not providing additional intel to cyber criminals that could make us vulnerable in the future,” he said.