Mayor of latest Canadian town to be hit for online 'ransom' calls for national strategy

Canadian municipalities are "sitting ducks" for "cyber terrorists," says the mayor of Stratford, Ont. — the latest Canadian community to find itself targeted by an online ransom attack.

'We are all vulnerable,' says Stratford Police Chief Greg Skinner

Stratford's Chief of Police Greg Skinner reviews police activity with a member of his staff. Skinner says his department is working with provincial police to investigate the people holding Stratford's data hostage. (CBC)

Canadian municipalities are "sitting ducks" for "cyber terrorists," says the mayor of Stratford, Ont. — the latest Canadian community to find itself targeted by an online ransom attack.

Dan Mathieson said that if his fellow mayors across the country don't start working together on the problem, more communities may be hit by online extortionists holding municipal data for ransom.

"We're not the first and we definitely won't be the last that will experience something like this," Mathieson told CBC News from his city hall office.

"As long as we are holding information that is deemed to be valuable to attackers ... the new terrorists of the century ... I think we need to find a way to [co-operate]."

On April 14, cyber criminals hijacked part of the city's computer servers, locking out some municipal employees. Stratford Police Chief Greg Skinner confirmed the incident was a 'ransomware' attack.

"They were holding hostage the data of the city, and they were demanding a ransom, or money, in return [for] the release of that information in the form of Bitcoin," he said.

To pay or not to pay

Local police are leading the investigation, although they have reached out to the Ontario Provincial Police for specialized help.

But while it's the job of law enforcement agencies to investigate ransomware attacks, the decision on whether to pay such ransom demands is completely up to the city and its insurance company.

"It my job is to deal with the investigation. It was the city's responsibility to deal with all the demands of the attackers," Skinner said.

"How the City of Stratford responded was in the best interests of the city of Stratford and the residents."

Dan Mathieson, mayor of Stratford, says the attackers did not secure payment information because that information is kept by a third party. (CBC)

Mathieson won't say if Stratford has paid the ransom, or if it plans to.

"Right now, because of the process that's underway, we've been asked by the police to limit the type of information we provide," he said. "And until such time as they tell us it's appropriate, we are going to continue to let them lead."

CSE won't tell attack targets how to respond

Scott Jones is the head of the Canadian Centre for Cyber Security at the Communications Security Establishment, the federal agency responsible for protecting Canada's communications networks from attack. He said his office won't give politicians or business leaders advice on whether to pay up to make a ransomware problem go away.

"The key action with paying a ransom is, you have to measure that against, 'How do I get my business back up and running.' And that's an individual decision for an organization to work out internally and with its insurance company," Jones told CBC News.

"And that's really where working with insurance kicks in. It's very important to work with your company in restoration."

Online ransom attacks are a growing challenge, said Rick Orr of Orr Insurance, which acts as Stratford's insurance broker.

Rick Orr of Orr Insurance, Stratford's insurance broker, says online ransom demands are a growing source of concern. (CBC)

"Cyber attacks, ransom attacks are becoming so prevalent," he said. "The old adage of the two things you want to avoid ... death and taxes ... is becoming the three things: death, taxes and [a] cyber attack.

"When the city of Stratford was attacked ... we put them in touch with their insurer's crisis 800 number, and the insurer takes over working with them and providing a lot of advice and guidance throughout the process."

Sensitive data wasn't affected: mayor

Investigators are still trying to determine exactly which information was seized in the attack. Mathieson said he wants to reassure residents that sensitive personal financial data were not compromised.

"They didn't involve payment information because the city has third parties that process payments. We were sure that they were looking at databases that contain city minutes of meetings, regular business transactions, e-mail flow, all those types of things," the mayor said.

Stratford's attack follows similar ransom demands made last year in two other Ontario municipalities: Wasaga Beach and Midland.

In 2016, the University of Calgary paid $20,000 to cyber criminals to regain access to its computer systems.

Because this problem isn't going away, Mathieson said he wants to come up with a national strategy for municipalities to improve cyber security.

"There's over two thousand municipalities in Canada ... they hold a lot of sensitive information on individuals ... on properties, on a lot of transactions. They're very vulnerable," Mathieson said.

"It'd be great actually if there was a national standard, a national association, where we could all fold in and under together and make sure that we had the best opportunity for all of us to protect this information."

Mathieson will get that conversation started this fall, when Ontario municipalities meet for a cyber protection seminar. He said he wants other mayors to consider looking at housing their servers together in one place, pooling funds to hire the best online security experts, or coming up with an advisory board to guide municipalities on how to navigate these attacks.

"I think that's where strength in numbers — putting us all together and finding a way to do it collectively — will allow us to have a best practice."

Skinner said he supports the idea of a unified approach and suggested police could do more as well.

"There needs to be a higher level of coordination ... with respect to these crimes," Skinner said.  

While Stratford Police are working with the OPP on this investigation, Skinner said that because these crimes have a "global scope.... there needs to be RCMP engagement at the national and international level, where the OPP would feed into their investigative expertise."

Skinner said he also wants to see more training and resource funding for police agencies to help them investigate online crimes.

"We are all vulnerable. Municipalities, individuals, and public institutions, private business and law enforcement agencies are all vulnerable," Skinner said.


Katie Simpson is a foreign correspondent with CBC News based in Washington. Prior to joining the team in D.C. she spent six years covering Parliament Hill in Ottawa and nearly a decade covering local and provincial issues in Toronto.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversationCreate account

Already have an account?