City takes staff directory offline over security concerns
Decision to remove searchable employee list unrelated to any particular incident, city says
The City of Ottawa has quietly taken its staff directory offline after it determined the searchable list of employees' names, phone numbers and email addresses could pose a cybersecurity risk.
In a brief statement attributed to the city's chief information officer Sandro Carlucci, the city confirmed this week the publicly available directory "was taken down proactively at the end of last year as we determined it was a potential cybersecurity concern. There were no incidents linked to this decision."
Asked to clarify the nature of that potential threat, the city responded Wednesday with this statement, also attributed to Carlucci: "In response to the current global cybersecurity landscape and the heightened threat of exploitation by hackers and malicious software, the City has removed the directory from the website.
"Having lists of emails published on websites increases risk and provides a potential attacker with greater ability to tailor their attacks, for example, for phishing attempts."
According to Carlucci, "the current status of the directory is being reviewed, while the city determines if any changes should be made to enhance security."
The city did not say how long that review is expected to take, but the directory, which listed each employee's name, job title, department, phone extension and email address, has been offline for approximately six months.
The directory listed firefighters and paramedics among the approximately 17,000 city employees, but did not include members of the Ottawa Police Service.
Residents miss directory, councillor says
Coun. Jeff Leiper, who chairs the city's IT subcommittee, said he only recently became aware that the directory had been removed when residents of his ward began complaining to his office.
"There is some discomfort in the community that it has been taken down because it helped residents to navigate the bureaucracy," Leiper said.
"With that taken down, it is more difficult for people to identify the city employee who can best help them with whatever their concern or need is."
Leiper said he has brought the matter up with city staff and is waiting to hear about next steps.
"I would like to understand whether there is some security risk that outweighs the convenience of being able to reach employees directly," he said.
Cheryl Parrott, who sits on the board of the Hintonburg Community Association, said she used the directory frequently to reach individual staff members. She said without access to the directory, making those connections is now much more difficult.
"It really hides and insulates the city from the public, I feel," Parrott said. "I'm afraid that they will never put it back up again."
The city says anyone trying to reach a specific employee can still do so by calling the main line at 613-580-2424 and speaking the individual's name, or by calling 311. City of Ottawa email addresses follow the formula email@example.com.
But Parrott said those options are fraught with drawbacks and difficulties, and said she often resorts to calling her councillor's office instead.
"I find it extremely frustrating to have to bother the councillor for everything," she said.
Leiper confirmed his office is now dealing with more calls from residents trying to reach specific city employees.
Both the City of Toronto and the federal government have public-facing employee directories available online. Both are searchable by employee name or department, and both provide direct access to employees' office phone numbers and email addresses.
'Spear phishing' a concern
While the city says the decision to remove the directory was unrelated to any specific security threat, cybersecurity experts say such public-facing information could potentially expose an organization to fraud attempts, particularly "spear phishing."
That's when fraudsters use their knowledge of an organization's corporate structure to trick employees into sending payments or revealing confidential information. Often, they pose as senior managers whose information they've gleaned online to send phishing emails to unsuspecting subordinates.
"The more information available to somebody who's trying to start a spear-phishing campaign, the easier it will be to impersonate somebody," said Ashraf Matrawy, a professor at Carleton University's School of Information Technology. "Usually these emails are sent with a sense of urgency. They are very well-crafted."
The Canadian Anti-Fraud Centre lists several examples of spear phishing on its website.
City stung before
In 2019, the city's auditor general revealed that then city treasurer Marian Simulik had fallen for a "fake CEO scam" and wired more than $100,000 to a fraudster the previous summer. In April, the city said it was trying to recover more than half a million dollars after the discovery of another fraudulent transaction.
There's no indication the perpetrators in either incident exploited the city's employee directory, but University of Ottawa professor and software security expert Guy-Vincent Jourdan agreed scammers can, and likely do, use such public resources to "map out an attack."
"You can make a more credible story out of your general knowledge of the institution," Jourdan said. "In the movies you see the hackers using some complicated software, but in reality they just call up and they find someone who's willing to give them access. That's by far the most common way of getting into systems."
According to Matrawy, public institutions and corporations such as municipalities face a unique conundrum when it comes to figuring out how much employee information is too much to share online.
"When you're offering service there is a tradeoff between security and usability," he said. "If you want more information to be available, then there could be a security or a privacy issue."