Oak Bay staff are digging deeper into an online security breach this week.
The district immediately shut down one of its online services to protect residents’ personal information after learning of the potential breach July 22, but did not notify residents until late last week.
“We don’t have a full explanation at this point,” said Mayor Nils Jensen.
Residents who use MyDistrict, an online service for tax, utility, bylaw notices, dog and business licence information via oakbay.ca, are now being warned to change their password.
“We weren’t specifically targeted, it seems to be somewhat widespread … there’s no evidence of fraudulent activity on anyone’s bank account,” Jensen added.
The security breach was with a separately hosted and managed site at online.oakbay.ca. “It’s a subdomain of the Oak Bay site,” said Peter Knapp, CEO of Upanup Studios, which designed and hosts oakbay.ca. “It’s a separate service from the Oak Bay site which exists on a separate server.”
Several other municipalities, including the City of Victoria, experienced unauthorized access to their MyDistrict municipal services portal, which was caused by faulty software, on the same date.
The data that was potentially at risk includes personal information of residents who use pre-authorized payment plans for their tax and utility bills. The online service does not collect highly sensitive information such as credit or debit card information, social insurance numbers or drivers’ licence information.
In a letter to affected residents, Oak Bay deputy treasurer and IT manager Fernando Pimental said: “As attacks on high-profile sites are common, we both monitor and improve our site continuously to ensure security at oakbay.ca. We want to err on the side of caution by providing you with the information we have.”
Notice of the security breach was sent to more than 1,000 residents by mail and email. “By Friday all the customers we had email addresses for had received an email from us telling them there might be an issue,” Jensen said.
As a precaution, the district recommends that any residents who have signed up for preauthorized payments monitor their bank accounts and contact their financial institution if they have further concerns. Residents who use MyDistrict are advised to log in and change their password and security question.
Knapp said these types of security breaches are not uncommon. “I don’t want to downplay it, but when you use the term hack it sounds like a person hacked into the site, but in reality, this is more likely a virus.”
By Tuesday morning, the district had received about 20 calls from concerned residents.
“Fernando has been meeting with the bank managers. We’ve provided them with information in regards to what happened,” said district interim CAO Gary Nason. “We continue to have no evidence of any personal information being accessed.”
The affected server was turned off and a new server was brought online on July 23.
Jensen asked Nason to look into the reasons why it took so long for residents to be notified of the security breach. “It was too long, but we can’t say why, at this point, without a full investigation,” Jensen said.
“The mayor asked me to take look at the practices and protocols – and what the other municipalities did – specifically on the issue of why there was a delay in getting the advisory out,” Nason said. “We hope to have the independent security audit findings by the end of next week, if not earlier.”
Jensen said he wants to know, “not only what happened, but how we can avoid it in the future.”
Residents are asked to contact Pimental by email at firstname.lastname@example.org or by phone at 250-598-3311 during regular business hours if they have any questions or concerns.
How do I change my password and security question?
1. Go to oakbay.ca and scroll down to Online Services.
2. Click on the word “MyDistrict Online.”
3. Log on to the service.
4. Select the Profile menu on the left side.
5. Change your security question and then select Update Your Profile.
6. After updating your question, select Change Password and change your password.