In late January, the Town of Westlock experienced a cybersecurity incident involving a ransomware attack that compromised the personal information of 1,633 residents.
In a statement released early Friday afternoon, May 31, Town of Westlock CAO Simone Wiley said the town acted quickly as soon as they learned personal information was impacted and “conducted an exhaustive, manual review of the impacted data to identify impacted individuals and the specific types of personal information involved.”
That process spanned several weeks.
“On January 31, 2024, we detected a cybersecurity incident involving unauthorized access to a portion of our IT infrastructure,” said Wiley. “We acted immediately to secure our network and data from further unauthorized activity and engaged third-party cybersecurity experts to contain and remediate the breach and perform a forensic investigation to determine the nature and extent of the incident.”
In a follow-up email Friday, Town of Westlock communications and marketing coordinator, Debbie Mottus, confirmed a total of 1,633 residents were impacted, that included both individuals and businesses who participate in the pre-authorized payment plan and businesses and employees who used EFT.
Wiley said in an interview the town contacted those directly affected by this incident and are providing credit monitoring and identity protection services to support those residents affected.
“Additionally, we have implemented enhanced security measures to strengthen our defences and to better protect against future incidents,” Wiley added, noting they are working with legal advisors and have reported the incident to the Office of the Information and Privacy Commissioner of Alberta.
Wiley said the town did have “very good security measures in place to begin with” and what they have implemented pertains to an “increased monitoring in the back end of our system.”
“We already had monitoring … so we just increased the amount of monitoring that’s going on in our system to detect any unusual activity.”
She said there was a cost related to the enhanced security measures but “it’s not significant” and she did not provide an exact number.
Wiley said because the incident is still under active investigation and things are not fully wrapped up, she could not provide any details of the nature surrounding the cybersecurity incident in regards to ransom.
“So it was ransom, but I can’t provide you any details on that,” said Wiley. “RCMP are involved, however the investigation is a lot more than that at this point because our insurance company is involved.”
Wiley said letters were sent out to residents impacted or potentially impacted on May 30, and those letters contained “a code for credit monitoring that people can utilize to monitor their credit for free,” she said, noting it also includes identity protection. “The letter that we sent out has information and resources that people can utilize to protect themselves against threats like identity theft and fraud.”
When asked about the four-month timeline and why residents were not informed of the incident sooner, she said due to the “thoroughness and manual review of data to determine who may have been impacted and the type of personal information that’s potentially at risk, that process took quite a significant amount of time to complete,” explained Wiley, adding they wanted to ensure they weren’t “overstating or understating.”
“So it really was about ensuring that we knew what the potential impacts were before making any sort of notification.”
The town’s IT company who monitors their systems around the clock, detected the unauthorized access to a portion of their IT infrastructure. She said the town has not been able to identify if it was one person or a group of people who hacked the system.
It was the first time the Town of Westlock has been hit with such a cybersecurity incident, and when asked why the town did not implement the enhanced security measures prior to January 2024, Wiley said the town did have “pretty robust security measures in the first place (but) they (hackers) keep getting better and better.”
“People who are trying to access your system are always finding new and different ways to access it,” said Wiley.
“Those measures were certainly implemented here, however incidents are not new and they’re not always preventable. We did have security measures in place and we have and will continue to work with third-party cybersecurity experts to understand how we can even further improve our security measures going forward.”
Cybersecurity
Brett Callow, a threat analyst for the cybersecurity company Emsisoft said most hacks of this nature occur for monetary reasons and are “financially motivated”.
While Callow said he has no insight into what actually happened, as a cybersecurity analyst expert, he said the most likely explanation is that “somebody managed to access their systems, extracted the data from those systems and asked for a ransom in return for its destruction,” said Callow.
Callow said when it comes to cybersecurity, hackers don’t care what size of organization or company they attack, including a small, rural town.
“There are more incidents involving organizations of all sizes, across both the public and private sectors,” said Callow. “Westlock probably wasn’t specifically targeted. This was likely a matter of them not having properly protected some internet phase and infrastructure or somebody having opened an email attachment that they shouldn’t have opened,” he said. “It was likely randomized in other words and the (town) was not specifically targeted.”
He also questioned why such enhanced security measures were not already in place prior to the cybersecurity incident.
“Most attacks succeed because of failure-based security surveillance.
“Most incidents are fairly easily preventable,” he said. “Why did this attack succeed and why weren’t the other measures they’ve now implemented, implemented a long time ago.”
Callow noted that cybersecurity is complex, and there are multiple layers to security, not just any one particular thing.
He said in most ransomware incidents, if hackers are not paid for the stolen information, they release the data online. He looked into the Westlock incident as an analyst and said he hasn’t seen data online yet relating to Westlock.
“What I can tell you, though, is that there is no sign of that data online at this point in time, as far as I can tell.”