Skip to content

UPDATE: City of Victoria pre-pay accounts breached

July 22 breach wasn't known by senior staff until Aug. 6; Fortin looks for answers

Residents who use the City of Victoria's pre-authorized payment program are being urged to check their bank account statements after a server was breached more than two weeks ago.

City officials were notified of the breach on Aug. 2, a result of a vulnerability in the manufacturer's software and not due to a weakness in the city’s security, said Mayor Dean Fortin.

"This came to senior staff and council's attention on Tuesday and that's when we started the whole process of notifying people," Fortin said. "We haven't found any evidence that (unauthorized users) actually got information but we wanted to make sure people knew as quickly as possible."

Fortin said he'll be investigating why senior staff weren't informed of the software vulnerability immediately.

Staff are following up with local banks and credit unions to ensure branches across the country are aware of the issue, he added.

"We're doing what we can to notify people of a potential breach and asking them to monitor their accounts."

The system holds the names, addresses and bank account numbers of about 5,800 users.

The city's I.T. department has since disabled the server that holds pre-authoried payment information and set up a new server.

Residents should log in to their MyCity Online accounts to change their password. Any external accounts that use the same password should be changed as well.

Victoria's breach is the latest in a string of compromised municipal systems. Last week, Oak Bay, West Vancouver, Abbotsford and Maple Ridge have all reported the same vulnerability in their Adobe Cold Fusion software program.

Fortin said I.T. staff will conduct an internal investigation on the breach.

Users looking for further clarification should email the city at inquiry@victoria.ca.

dpalmer@vicnews.com