BANFF – The cybersecurity attack on the Town of Banff earlier this year has come with a hefty price tag.
Administration has asked for an additional $220,000, which includes $125,000 in wages and benefits for new IT personnel, $25,000 for a cybersecurity audit, $25,000 for cybersecurity insurance and $50,000 for additional hardware and software.
“It’s a big number, but it’s much smaller than the cybersecurity cost that we incurred this year and we already had a pretty darn good cybersecurity system in place, more than many other places do,” said Councillor Chip Olver.
“I feel that this is absolutely essential for us to ensure the continued safe operation of our systems.”
As part of service review on Wednesday (Nov. 30), the governance and finance committee voted 5-2 to approve the $220,000 request for a final decision during budget deliberations.
Following the March 19 computer hacking attack, the municipality contracted a team of cybersecurity experts with KPMG to work with the internal IT team to enhance security and reduce the risk of future attacks on IT infrastructure and data.
“Some of these recommendations were implemented during 2022 and some are planned over the next several years,” said Chris Hughes, director of corporate services for the Town of Banff.
The budget roll-out at service review shows the 2022 approved budget for IT was $711,220, but the actual budget is now projected to be closer to $1.12 million by year’s end.
According to the municipality’s second quarter financial statements, the IT department’s wages, benefits and overtime were $23,000 higher than budgeted this year, $10,000 of which was attributed to the cybersecurity incident.
In addition, legal fees were $246,000 higher than budgeted and contracted services jumped by $403,000 as a result of the computer hacking attack.
As part of service review and budget, administration has also asked for additional IT personnel to implement the remaining cybersecurity initiatives recommended by the cybersecurity experts.
Specifically, they’re recommending a manager be added to help the IT team manage the additional work related to implementation and ongoing support for security measures.
“Once all planned security measures are implemented, it is recommended that a cybersecurity audit by a third party be implemented to ensure the safeguards put in place adequately secure our network and data,” said Hughes.
“With the frequency of cybersecurity attacks increasing and understanding that no level of security will fully prevent a future attack on our system, administration is recommending an increase to the level of our insurance against such future attacks.”
Municipalities can be favoured targets of cybersecurity attackers because their cyber defences aren’t as sophisticated as higher levels of government. Attackers believe cities and towns may be more willing to pay ransoms than other organizations because of the amount of personal information they hold.
Jason Darrah, the director of communications for the Town of Banff, said the investigation into the cybersecurity attack has concluded, but assessment of cybersecurity risks and the municipality's systems will be an ongoing process.
“The contract was concluded and we were advised that they believe the risk to the data that may have been accessed is very low,” he said.
“The details of the investigation will not be publicly released to avoid providing tools to criminals. We do refer organizations that contact the Town with cybersecurity concerns or similar situations to the cybersecurity experts we had contracted to assess if it is a similar situation,” he added.
“We are not aware of any details about criminal investigations initiated by national RCMP personnel.”
The Town of Banff, which had in-camera briefings with council after the cybersecurity attack, is still not saying if anyone threatened to sell or release data that was accessed in the computer hacking incident as part of any ransom demand.
“We are not in a position to provide specifics of the attack, but we accept inquiries from other organizations experiencing similar attacks and refer them to the cybersecurity experts we contracted to determine if the attack is the same and if our experience can be helpful for those organizations,” said Darrah.
Banff was quick to bring in a team of independent cybersecurity experts with KPMG to help the municipality deal with the matter. The RCMP were also notified and Alberta’s privacy commissioner was alerted.
The Town of Banff retained access to its data and information systems at all times and the municipality’s critical systems were completely unaffected, such as those in place for emergency response like the Banff Fire Department. Infrastructure such as water and sewage was also secured and operating as normal.
However, some of the municipality’s non-essential systems were affected on varying levels, such as webcams, the system for renewing paid parking permits and the online development permit viewer.
Personal information of Town of Banff employees may have been accessed.
In April last year, the Resort Municipality of Whistler (RMOW) in British Columbia had a cybersecurity event. Also in 2021, Ontario’s Regional Municipality of Durham, which provides regional services to eight local municipalities north of Lake Ontario including the City of Oshawa, reported it was a victim of a cybersecurity incident.
In 2018, two small Ontario towns, Wasaga Beach and Midland, paid ransom demands to reclaim data after anonymous computer hackers held their computer systems hostage for more than two days. Wasaga Beach paid $35,000, while Midland did not disclose how much was paid.
In 2016, the University of Calgary paid a demanded $20,000 after a cyberattack on its computer systems. In 2018, the U.S Federal Bureau of Investigation charged two men in Iran as part of an investigation into cyberattacks that targeted the University of Calgary and computer networks in the United States.