Someone, or more likely, something, broke into the District of Maple Ridge’s computer system earlier this month, but all signs are that it was an automated probe rather than some devious hacker out to do mischief.
“From all the information that we have so far, we don’t believe that anybody’s personal information was compromised,” information services manager Christina Crabtree said Tuesday.
All signs indicate the breach was done by third-party software installed onto the district’s server. Such software constantly tries to access high-profile systems.
“We don’t know that for a fact. That’s what it looks like.”
Nevertheless, the district is advising people who use My Maple Ridge online services to pay for permits, to change their security questions and passwords.
Some of the information that could have been at risk are names, addresses and bank account numbers used for pre-authorized withdrawal systems for paying taxes.
But that information is comparable to what would be found on a personal cheque.
Residents using that service will be updated following a security review of the incident.
The breech took place July 2, but because there was no activity, the break-in wasn’t discovered until July 21. Someone else in the information technology field alerted the district.
“We don’t believe any data was actually accessed, but the potential risk was there for 19 days,” Crabtree said.
“As soon as we knew there was a potential problem, we shut the system down so there was no further access.”
Public notification of the breach didn’t take place until last Friday, July 26, because the information services department was focusing on securing the system.
About 6,000 e-mails or letters have been sent to residents alerting them of the break-in.
A security notice on the district’s website says the computer systems don’t contain social insurance, driver’s licence, credit or debit card numbers. Most online payments are done offsite via a third party.
At most, a hacker would have had access to no more information than what’s available on a personal cheque.
Crabtree said there’s no idea where the security breech came from and pointed out any high-profile site that offers online services are at constant risk.
“Trying to break in is common. This is the first in the district that we’ve had to deal with.”
To illustrate, she pointed out that 97 per cent of all the e-mail received by the district is either filtered out as spam or junk e-mail, with only three per cent actually getting to recipients’ desks.
“We’re not unusual in that regard.”
Most of the only services have now been restored. An independent security assessment will follow, taking about 10 days, to confirm that no personal information had been compromised.
That will followed by a broader audit of the district’s computer security.