The Resort Municipality of Whistler (RMOW) continues to work to restore its online services after it was the victim of a cybersecurity incident in April. The RMOW continues to be in recovery mode and expects full recovery to take at least until the fall.
As of July 2021, all regular services at the RMOW customer service desk at municipal hall are now available with the exception of six and 12 month bus pass sales. Monthly passes are still available at municipal hall. Voicemail and accounts payable systems have been restored. Home owners should have received their property tax notices in the mail and can pay in person at municipal hall, online or through online banking.
Following a months-long investigation in cooperation with cyber-security experts, the RMOW has not found evidence that the private, personal information of the public was obtained by criminals in the cybersecurity incident. The cyber-criminals did obtain the contents of personal drives (P: Drives) on employee computers, which were drives on the RMOW’s network where employees could store personal information in accordance with the RMOW’s Electronic Communications Procedure. An RCMP investigation is ongoing and the RMOW continues to work with the Office of the Information and Privacy Commissioner of B.C. on the incident. If it is determined that private personal information of the public was accessed, the RMOW will notify these individuals.
In May, the RMOW applied for an injunction asking that the Pique Newsmagazine not publish on their website, details of RMOW’s employees’ private personal information. This action was followed by a request under the Freedom of Information and Protection of Privacy Act for the Pique to confirm that they were not in possession of any private personal information that the Pique was not authorized to possess. The RMOW has since received a reply from the Pique confirming they are not in possession of the private personal information in question. At this time, the RMOW is satisfied that legal action is no longer required.
“The RMOW strives to maintain a productive and mutually respectful relationship with the Pique and we continue to appreciate the Pique’s work in keeping the community informed about this and other community news. Council’s decision to commence legal action was for the sole purpose of protecting the private personal information of employees who had their information accessed as the result of a cybercriminal act,” said Mayor Jack Crompton. “The RMOW has a legal obligation to protect all private, personal information in its care. When the Pique published details of this information and declined our request to not include this information in their online version, we felt that legal action was necessary to protect employees from further harm and a further violation of their privacy.”
The RMOW has reported that experts leading the cybersecurity investigation believe that cybercriminals accessed the RMOW’s network through a zero-day vulnerability which is an unknown flaw in software that is taken advantage of before a fix is available. The RMOW has also reported that it did not receive a ransom request, nor did the RMOW make any payment to or engage in dialogue with, the cybercriminals.
Since April, the RMOW has been working closely with cybersecurity experts to restore services and rebuild its network and systems to be as resilient as possible against future cybersecurity threats. A report on the learnings from the cybersecurity incident will be presented at a future meeting of the Technology Advisory Committee once the investigation and recovery is fully complete.