City knew of massive cyber breach days before admitting it

Documents obtained by CBC show the City of Saint John was made aware that names and credit card information for as many as 6,000 parking customers had been exposed days before officials publicly admitted it.

Reporter from IT World presented Saint John with facts of the case on Dec. 18

A cyber attack allowed a malware to lurk unnoticed on Saint John's parking fine server for as long as 18 months. (CBC)

Saint John officials waited three days before letting the public know of a massive cyber breach that exposed the names and credit card information of thousands of parking customers, documents show.  

The municipality's official line is that it learned of a malware attack on its parking fine server Dec. 21, 2018, in a pair of online information technology news reports.

But documents obtained by CBC News show one of the reporters involved, Howard Solomon of IT World, contacted the city by email Dec. 17 asking for comment on the breach.

He followed up the next day with a link to a U.S.-based cyber security blog, Gemini Advisory, that listed Saint John among dozens of cities hacked.

Was asked to call back later

The Gemini report even included the number of customers in Saint John who were affected.

In correspondence with Solomon, city communications director Lisa Caissie asks if he could call her two days later on Thursday, Dec. 20.

"The story is out today," replied Solomon. "I can't tell my editor the story is going to be held two days."

The story described by Solomon was published online Dec. 18, by city IT staffers only read the article — which singled out the city for special mention — on Dec. 21.

Stuck to Dec. 21 date

That date has been used repeatedly by city staff in referencing the cyber attack both in internal emails, a document presented to council, and interviews with news media, including by Mayor Don Darling and Stephanie Rackley-Roach, the city's director of corporate performance.

CBC reached Solomon in San Francisco, where the contributing writer to IT World is attending a security conference.

He said he contacted the city to find out what staff knew about the attack, when they found out, and what steps the municipality was taking to alert customers whose personal and credit card information had been exposed.

"The city never got back to me, which would suggest that they found evidence that there was indeed a breach," said Solomon.

IT World contributing writer, Howard Solomon directed the city of Saint John to information about the cyber attack three days before municipal staff say they learned of the breach. (Twitter)

While the record shows Solomon informed the city of the cyber attack, the city may not have immediately believed his information.

On Dec.19, the day following Solomon's exchange with Caissie, the city received notice from CentralSquare Technologies, the Florida company providing the Click2Gov parking server software, that there was no problem with the system.

"Resolution: Checked Click2Gov server for evidence of malware/possible breach, no evidence found of breach/malware," says the statement signed only "Customer Support."

City questioned accuracy

Disbelief in the cyber breach continued even into the morning of Dec. 21 when Caissie sent an email to Gemini Advisory saying the municipality had "concerns about the accuracy" of information reported in the news story of the breach.

Stas Alforov, Gemini's director of research and development, responded with a list of the names and addresses of 4,600 Saint John residents, or "victims," uploaded from the city's server over a 16-month period beginning July 2017. 

Up to 6,000 users are believed to have been affected by the Saint John breach.

But even while staff were getting incorrect information from the city's software support company, there is evidence they were informed a month earlier of a malware problem with the municipal parking server.

User reported an issue

On Nov. 16, 2018, the city was contacted by Jason Landry, whose name, while redacted in numerous emails released to CBC, remains unredacted in at least one instance.

"My payment card was only just activated yesterday and only to pay my parking ticket," wrote Landry. "My card number was leaked and used three times last night for purchases in the U.K."

A followup internal email posted at 11:01 that night by Robert James, the city's operations manager for IT infrastructure, said CentralSquare checked the Saint John server and "see nothing out of the ordinary and no sign of a breach."

CBC was unable to reach Landry on Tuesday.

The city took it's click2gov parking server offline Dec. 21 and a new system is expected to put into operation during the second quarter of the year.

A spokesperson said city staff are working on a response to a CBC request for comment on documents obtained through a right to information request.

Darling could not be reached for comment.

 

About the Author

Connell Smith

Reporter

Connell Smith is a reporter with CBC in Saint John. He can be reached at 632-7726 Connell.smith@cbc.ca

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.