Skip to content

No further action needed after ransomware attack on SCRD: report

Sunshine Coast Regional District has not paid a ransom following the September cybersecurity incident
The OIPC's investigation into the September 2022 cybersecurity attack on the SCRD has concluded, but there are still questions about what and how much information was accessed.| nito100, Getty Images Plus

The Sunshine Coast Regional District (SCRD) does not need to take any more steps regarding a September “cyber incident," a new report concludes. 

After a ransomware attack hit the SCRD on Sept. 8 and 9 — locking the regional district out of its email and website for nearly 16 hours — the Office of the Information and Privacy Commissioner (OIPC) investigated the incident. 

On Nov. 24, the SCRD issued a press release stating it had notified the OIPC “within hours of the cyber incident taking place,” and the OIPC has recently “determined that no further action is necessary from the SCRD. The OIPC also determined that the SCRD has been compliant with the act.” 

The SCRD has worked with experts in cyber security to discover how the incident was able to happen and identify measures to avoid a similar incident from happening. Those measures are not outlined in the release, but SCRD staff have undertaken  “further educational programming within the organization on cyber security and awareness.” 

“I think folks are appreciative of receiving the additional training, and we are tracking the response of it. It seems to be a positive experience that we're all moving forward to be more aware and savvy about keeping security top of mind,” David Nelson, the SCRD’s manager of Information Services, told Coast Reporter

But the extent of what and how much information was taken is still unknown and some of it has shown up on the dark web, Nelson said. “We know that certainly not all of our data was taken, only a subset.” A Sept. 23 press release from the SCRD said affected parties would be notified.

The costs of how much the SCRD has spent on response have not been finalized, but the regional district has spent roughly $50,000 to date, the bulk of which was spent to retain an external cybersecurity firm, Aidan Buckley, the SCRD’s manager of communications, told Coast Reporter

The SCRD received the letter, dated Oct. 14, from the OIPC containing the update on their report, Nelson said. The communications department of the SCRD had been pulled into the Emergency Operations Centre associated with the water crisis, and waited to put out an update that included more information about the phishing emails that appeared in October, Buckley said.

SCRD not alone

The SCRD is not the only government to face cybersecurity threats. In 2020, the B.C. government “faced a near tenfold increase in unauthorized access attempts in 2020 over 2015, with 372 million/day or 4,000/second today,” according to a March 4 Cybersecurity Update presentation (obtained through a freedom of information request), The Breaker reported. And response to attacks can come with a price: a 2021 IBM report estimated the total cost per breach had risen 20% to $6.7 million. 

While ransomware attacks have been on the rise since 2020, threat analyst Brett Callow previously told Coast Reporter the number of successful extortions seems to be on the decline for local governments.

Then on Nov. 10, an Ontario man with both Canadian and Russian citizenship, Mikhail Vasiliev, was charged in New Jersey for his alleged involvement with LockBit, a ransomware group that emerged in 2020. Estimates say LockBit has made at least $100 million in ransom demands. One of its targets? The Sunshine Coast Regional District.

(However, Cybernews reports that the incarceration of a few LockBit affiliates likely won’t take the criminal group down.)

Suspicious emails

Following the September attack, people who had previously communicated with the SCRD via email months and in some cases a year before began to receive emails that seem to be from the SCRD but are from an unknown third party. In examples provided to Coast Reporter in October by several people who received them, those emails asked the recipient to open an attached file. 

Whether the phishing emails are linked to the previous ransomware attack is unknown but seems likely. “We can't be sure. It could be others. It looks probable, though,” Nelson said.

The SCRD recommends people who receive such emails to be cautious when clicking links or opening attachments. Email recipients should double check the email address they’re receiving the correspondence from to ensure it’s really from the SCRD. For further information and advice about phishing attempts, the SCRD provided a link to the Canadian Centre for Cyber Security. 

With files from Bob Mackin / The Breaker