BANFF – The cyberattack that hit the Town of Banff earlier this year cost the municipality at least $656,000.
Following a pair of in-camera sessions Monday (July 11), Town council voted 6-1 in favour of using money from the budget stabilization reserve to cover the expenses from the cyberattack. Coun. Hugh Pettigrew was the lone vote of opposition.
As part of the cost, expenses will also go toward enhancing the cybersecurity position of the Town.
“It’s a massive expenditure, but taking all those precautions and putting measures in place to protect personal information of the community – whether residents or employees – is so invaluable and important,” said Mayor Corrie DiManno. “It’s a substantial expenditure, but we believe it’s important to keep information safe.”
DiManno added the Town's cyber protection is now state-of-the-art to mitigate any potential future cyberattacks.
“We basically did an overhaul on security of our emails, web systems and we’ve also looked at all of our internal processes. We put them up to the highest standard that they can be.”
To approve tapping into Town reserves, council had to reopen the 2022-24 operating budget, with Pettigrew voting against the motion. Council unanimously passed a motion directing Town staff to prepare a new service level for options of future cybersecurity measures.
The Town has previously noted the cyberattack led to information on current and former Town employees, current and former Banff residents and property owners, business owners, participants in municipal programs and applicants for employment with the Town being accessed. Applicants and holders of municipal permits and licences and individuals from out-of-town who interacted with the Town via service requests or parking infractions – but not parking payment – were also accessed.
The Town has said the information can include names, email addresses, physical addresses, phone numbers and potentially employment information, financial information, vehicle details, signatures, immigration status, mortgage information, dependent information, drivers’ licences, passport numbers, birth dates, marital status information, credit card and social insurance information.
The Town previously said about 130 gigabytes of information may have been accessed through the cyberattack, but that the Town was not locked out or stopped from accessing its information.
However, the Town said in a statement there had been “no evidence of any misuse of personal information resulting from the attack.”
The biggest financial impact was $600,000 to secure the IT system, respond to the attack and investigate and come up with mitigation measures. The cost to implement the enhanced security recommended by cybersecurity experts is about $30,000 and additional software to increase security is estimated at $26,000. The remaining budget stabilization reserve is roughly $735,000.
According to the Town’s first quarter financials, revenue from parking and traffic fines are forecasted $237,000 lower than budgeted, which was partially due to the cyberattack. Municipal bylaw officers were unable to hand out tickets for about a month following the attack.
Kelly Gibson, the Town’s CAO, told council Monday that staff believes the lost revenue can be made up throughout the remainder of the year and the $656,000 doesn’t include lost revenue. He added it does include overtime and anticipated overtime hours, but not regular wages since they are already budgeted.
“It’s predominantly fine revenue due to the delays in the system coming back up. We will update on second forecast on that,” he said.
The cyberattack hit the Town on March 19, which saw the Town use a team of cybersecurity experts from KPMG to investigate the attack. Cybersecurity experts also began assisting Town staff with strengthening the security of the municipality’s systems.
Both the RCMP and Alberta’s Privacy Commissioner were notified of the cyberattack.
Town council was briefed March 28 in an in-camera meeting and an additional in-camera meeting was held April 5, which had no details provided on a confidential motion.
Council had an April 11 in-camera meeting to approve another confidential motion. The July 11 meeting had council go in-camera for just under an hour the first time and 15 minutes the second time.
The Town of Banff has frequently cited the Freedom of Information Protection of Privacy (FOIP) Act Sections 23 (local public body confidences), Section 24 (advice from officials), Section 25 (disclosure harmful to economic and other interests of a public body) and Section 27 (privileged information) in keeping information secret.
However, the FOIP sections don’t require council to keep it secret but leave the option available.
“These matters were discussed in camera and motions made in camera, so we could ensure the proper investigation of the cybersecurity incident. … We were ensuring we were mitigating future risk and mitigating the current situation,” DiManno said.
A vote to release a corrected report as a public document narrowly passed 4-3. Couns. Ted Christensen, Kaylee Ram and Pettigrew were opposed.
Pettigrew said he didn’t support the motions since he had hoped for more public information and an idea of how the cyberattack impacted the Town.
“I would have preferred more public details and information on the impacts of this very unfortunate incident, so I could not support the motions as presented,” he said. “In my opinion, cybersecurity is an emerging concern across the world and to any organization. Perhaps there are lessons to be learned here for everyone.”
Christensen and Ram said they supported the financial motions, but not the amendments that are included in the report.
“I think it’s really important that we can be as transparent about the way we manage the organization as possible, especially when it comes to financial matters and we obviously just made a budget amendment,” DiManno said at the Monday meeting.
She heaped high praise on Town staff for managing the months long situation that also included a new COVID-19 wave impacting the Town and a flood watch in the spring.
“I can’t thank you enough for being nimble and doing as much as you did in this situation,” she said.
Cyberattacks have become a common threat to municipalities across the country.
In 2016, the University of Calgary paid $20,000 that later saw two men in Iran in 2018 charged by the U.S. Federal Bureau of Investigation. The Ontario towns of Wasaga Beach – a tourist community – and Midland each paid a ransom to regain control of data that had been anonymously hacked. Wasaga Beach said it paid $35,000 and Midland didn’t disclose the cost.
The Regional Municipality of Durham – which provides upper tier regional services to eight lower tier municipalities near Lake Ontario – was the victim of a cyberattack.
The City of Woodstock – at the crossroads of Highway 401 and 403 in southwestern Ontario – had its municipal and Woodstock Police Service impacted by a cyberattack for several weeks. The City didn’t pay the ransom, but it cost about $670,000 to strengthen and rebuild its cyber system. A further $370,000 was later needed, bringing the total costs to more than $1 million.
Alberta Municipalities – the former Alberta Urban Municipalities Association – hired the Ontario-based Stratejm to complete a report on best cybersecurity practices for its municipal members..
The report highlighted municipal governments often are slow to implement security controls when connecting to a computer network or the internet.
“In effect, lack of adequate security protocols results in weak municipal systems that hackers can easily exploit to take control of systems, knock out public services, and steal confidential information,” stated the Stratejm report.
Cyber threats can come via malware, ransomware, email being compromised and insider threats among other options.
The Stratejm report gave a range of best practices for municipalities to follow such as data encryption, awareness training for staff and installing security tools.
DiManno emphasized that all municipalities complete an audit of internal systems and improve potential weaknesses.
“It’s not a matter of if, but when. The cyber criminal organizations are constantly changing and becoming more sophisticated,” she said. “The reality is municipalities store the type of information that these criminals are looking to gain access to.”
