Slow response to Oak Bay residents overshadows data breach

Personal information deemed safe despite unauthorized web access

Oak Bay staff are digging deeper into an online security breach this week.

The district immediately shut down one of its online services to protect residents’ personal information after learning of the potential breach July 22, but did not notify residents until late last week.

“We don’t have a full explanation at this point,” said Mayor Nils Jensen.

Residents who use MyDistrict, an online service for tax, utility, bylaw notices, dog and business licence information via oakbay.ca, are now being warned to change their password.

“We weren’t specifically targeted, it seems to be somewhat widespread … there’s no evidence of fraudulent activity on anyone’s bank account,” Jensen added.

The security breach was with a separately hosted and managed site at online.oakbay.ca. “It’s a subdomain of the Oak Bay site,” said Peter Knapp, CEO of Upanup Studios, which designed and hosts oakbay.ca. “It’s a separate service from the Oak Bay site which exists on a separate server.”

Several other municipalities, including the City of Victoria, experienced unauthorized access to their MyDistrict municipal services portal, which was caused by faulty software, on the same date.

The data that was potentially at risk includes personal information of residents who use pre-authorized payment plans for their tax and utility bills. The online service does not collect highly sensitive information such as credit or debit card information, social insurance numbers or drivers’ licence information.

In a letter to affected residents, Oak Bay deputy treasurer and IT manager Fernando Pimental said: “As attacks on high-profile sites are common, we both monitor and improve our site continuously to ensure security at oakbay.ca. We want to err on the side of caution by providing you with the information we have.”

Notice of the security breach was sent to more than 1,000 residents by mail and email. “By Friday all the customers we had email addresses for had received an email from us telling them there might be an issue,” Jensen said.

As a precaution, the district recommends that any residents who have signed up for preauthorized payments monitor their bank accounts and contact their financial institution if they have further concerns. Residents who use MyDistrict are advised to log in and change their password and security question.

Knapp said these types of security breaches are not uncommon. “I don’t want to downplay it, but when you use the term hack it sounds like a person hacked into the site, but in reality, this is more likely a virus.”

By Tuesday morning, the district had received about 20 calls from concerned residents.

“Fernando has been meeting with the bank managers. We’ve provided them with information in regards to what happened,” said district interim CAO Gary Nason. “We continue to have no evidence of any personal information being accessed.”

The affected server was turned off and a new server was brought online on July 23.

Jensen asked Nason to look into the reasons why it took so long for residents to be notified of the security breach. “It was too long, but we can’t say why, at this point, without a full investigation,” Jensen said.

“The mayor asked me to take look at the practices and protocols – and what the other municipalities did – specifically on the issue of why there was a delay in getting the advisory out,” Nason said. “We hope to have the independent security audit findings by the end of next week, if not earlier.”

Jensen said he wants to know, “not only what happened, but how we can avoid it in the future.”

Residents are asked to contact Pimental by email at fpimental@oakbay.ca or by phone at 250-598-3311 during regular business hours if they have any questions or concerns.

 

How do I change my password and security question?

1. Go to oakbay.ca and scroll down to Online Services.

2. Click on the word “MyDistrict Online.”

3. Log on to the service.

4. Select the Profile menu on the left side.

5. Change your security question and then select Update Your Profile.

6. After updating your question, select Change Password and change your password.

 

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Baby raccoon rescued from 10-foot deep Saanich drainage pipe

‘Its cries were loud, pitiful and heartbreaking,’ Saanich animal control officer says

Police respond to successful Facebook scam on Oak Bay resident

Petty thievery in King George Terrace where plants, gargoyle are missing

Victoria Clipper suspends services through April 2021

International travel restrictions, COVID-19 uncertainty lead to decision

UPDATE: Incident near Mount Douglas Park ‘strictly medical,’ Saanich police say

Intoxicated person taken into police custody, brought to hospital

B.C. records 62 new COVID-19 cases, two deaths since Friday

Province has just over 200 active cases

Port Alberni will have a salmon derby on Labour Day after all

Alberni Valley Tyee Club reveals ‘socially distanced’ derby only for Labour Day 2020

Hotel rooms for B.C. homeless too hasty, NDP government told

Businesses forced out, but crime goes down, minister says

Suspicious fire quenched before reaching gunpowder in Nanaimo’s historic Bastion

Probe underway in basement blaze that erupted near where powder stored to fire signature cannons

Duncan model makes quarter finals in ‘Maxim’ magazine contest

Brandee Peart among top one per cent left in competition

Wage subsidy will be extended until December amid post-COVID reopening: Trudeau

Trudeau said the extension will ‘give greater certainty and support to businesses’

B.C. government prepares for COVID-19 economic recovery efforts

New measures after July consultation, Carole James says

Fisherman snags barracuda off Vancouver Island in rare encounter

Ferocious fish, not native to Canada, was netted and released in Alberni Inlet

Most Read