Richard Frank agrees, it’s possible no information was stolen from the District of Maple Ridge website because the breach likely was an automated procedure that the district caught in time to take security measures.
The probe could have come from Russia, China or North Korea, where many hacks originate, says the assistant professor with SFU’s School of Criminology.
“To compliment them, they’re very talented,” he said of the hackers. “We have easy targets and lots of money – compared to them.”
Maple Ridge, along with the City of Abbotsford, had its computer systems hacked recently, resulting in software being installed on to the district’s server on July 2.
An outside information technology specialist alerted the district on July 19.
The district says it appears that personal data wasn’t accessed.
Frank says it’s possible no data left the system, although it depends how vulnerable the district’s servers are. Municipal IT departments often don’t have the staff that big companies can devote to computer security, he said.
Maple Ridge has told residents who use the “My Maple Ridge” service to pay their bills online that they should change their security question and password, just in case.
It also said those who pay their taxes online through monthly pre-authorized withdrawals from their bank account, may have had that information stolen and that they should contact their banks.
It points out the information would amount to no more than what’s on a personal cheque – name, address, bank and account number.
Frank said the hacking software is called an IP scanner, or a port scanner. “Essentially, it looks to see if anything is responding on a computer.”
Frank said it would be a good idea to change passwords anyways, but if the data left the system, such as that from a personal cheque, it could be enough to contact somebody’s bank and get access to an account.
The district says most of its credit card payments are done via a third party and information such as credit or debit card, driver’s licence, social insurance numbers weren’t at risk because they’re not in the system.
Having a new password still is a good idea in case the hacker decided to return.
There are two types of attacks, by manually attacking an Internet program or circuitously by accessing servers or websites to get other information, such as financial details.
Frank said an IP scanner will go from one Internet protocol address to another, looking for vulnerabilities. Once it finds a vulnerable system, it’s added to the list for future probes.
“The software essentially will act like a filter. Rather than a person looking at 16 billion computers manually, the software will filter it down to a set that have some vulnerability.”
But it all depends where on that list Maple Ridge’s system was and whether the hacker got that far on the list.
“So it’s possible that they will never get to it.”
Frank pointed out there has been some software that has been on servers for years without being discovered.
He pointed out one hack of T. J. Maxx department store in the U.S. in 2010, had 45 million credit cards stolen. Those cards could have been sold online for $5.
“It’s possible that no data left their [the district’s] system. The original hackers just haven’t had a chance to get any of it.”
And measures by the district to shut down its systems should take care of the problem.
“It depends how bad the computers were vulnerable.
“It depends, there are a lot of different variations.”
After checking the district’s software, Frank found its systems to be up to date.
If it’s automatic and the goal is financial information it’s likely it wasn’t targeted at Maple Ridge.
Maple Ridge web developer Jon Peters, though, said that when a site is probed, it’s always done with the intent of breaking into a site.
“The initial probe uses automated software to test for vulnerabilities. That probe then typically sends the notification to the would-be hacker that a site is vulnerable,” said Peters, who’s business partner is Maple Ridge Coun. Corisa Bell.
He said the next step if a system is vulnerable is to install software to run commands.
“It wouldn’t make sense for a hacker to install software that does not do so. The extent of the breach would have been to the extent of the software installed and the environment in which it was installed.”
In his opinion, “a hacker would have had access to no more information than what’s available on the server.
Peters said he used the online system to submit his homeowners grant and had to input various pieces of personal information to do so. “As someone who has been a victim of identity fraud in the past, due to a mailbox break-in, I find these events unsettling.”
He wanted to know if the district will reveal the type of software installed once its completes its security review. He also wondered if it was safe for people to log on and change their passwords if the review was still underway.
Frank, though, said Maple Ridge seems to be doing the right thing.
“It seems like they’re responding properly. At least they’re being open about it.”