July 12 Update
The Town of Banff is using $656,000 to cover the costs of responding to a cybersecurity attack and to enhance the Town’s ongoing cybersecurity. The unplanned expenditure is funded by Banff’s budget stabilization reserve, which was created to address emergencies.
On March 19, 2022, the Town detected an external attack on the Town’s computer systems. The Town took immediate steps to secure its systems. A team of cybersecurity experts were contracted to reinforce the Town’s security, investigate the attack, and implement measures to limit the impact.
“We were the victim of a sophisticated crime – a crime that is increasingly targeting municipalities – because of our need to collect personal information as part of the business of serving the people in our community,” said Banff Mayor Corrie DiManno. “Our systems worked in blocking the attacker from taking control of our computer systems, but for a short period of time they had access to our network. We needed to take aggressive steps to protect our systems and to reduce the risk for people in our community whose personal information may have been accessed.”
The immediate response to the attack involved disconnecting all web-based systems, followed by reviewing and reinforcing security of all connections. A thorough investigation determined personal information records had been accessed, including personal employee information. The Town offered credit monitoring to staff and former employees out an abundance of caution.
“I want to recognize our IT and Information Governance Team, as well the cybersecurity experts we hired, for their thorough work to secure our systems and to safely bring back online about 30 public-facing networks and web-based applications. This was done with such speed that most people in our community would not have even noticed any disruption,” said DiManno. “Behind the scenes, this represented thousands of hours of work over the last 100 days and involved analysis, installation of state-of-the-art technology and review of all processes.
“This has amounted to a significant expenditure of tax dollars, but we feel the investment is essential to safeguard the people in our community against future potential attacks, and to mitigate the impact of this incident. We have learned that every computer network, no matter how secure, is always just one keyboard click away from allowing malicious code to slip past security. That’s why we look at processes as well as technology.”
The $656,000 budget reallocation includes costs associated with contracting cybersecurity experts for almost 1,000 hours of investigating the attack, reinforcing security, auditing data networks, and the recommendations for future protective measures. The total cost also includes overtime for Town staff involved in the investigation and installing new security protocols, the cost of offering credit monitoring, the cost of new tools for monitoring and improving security in the event of future attacks, and software for ongoing assessment of data vulnerability. The Town has made an insurance claim of $50,000 to help offset the costs of the impact.
There remains no evidence of any misuse of personal information resulting from the attack.
In their July 11 meeting, Town council directed administration to publish a report on the attack and its financial impact as part of their commitment to transparency, and to help other municipalities take steps to prepare for inevitable cybercrimes.
“Our priority is to minimize risk of harm to residents and employees,” said DiManno. “We want others to learn from our experience so they can take steps to avoid facing a similar choice. We learned that it’s not ‘if’ you get attacked, but ‘when’ you get attacked. Taking additional measures to guard against this type of damaging invasion, in order to protect residents, clients, customers and employees is essential. Investigating insurance options is also very important.”
The Town has added a range of IT security tools to mitigate against any potential future cyber risks. The Town has adopted tools to ensure proper adherence to data storage protocols and web use. The Town continues to review and improve data collection and retention processes and to continuously improve on practices protecting records.
Jason Darrah, Town of Banff Communications
Jason.firstname.lastname@example.org or 403.762.207.
April 25 Update
The Town of Banff is providing this notification to inform the public that personal information in the Town’s custody may have been accessed or taken in connection with the recent cybersecurity incident.
On March 19, 2022, the Town detected it was subject to a cybersecurity incident perpetrated by an unauthorized third party, which affected certain of the Town’s computer systems. Upon learning of the incident, the Town took steps to secure its systems and limit the impact to its data and operations. Independent cybersecurity experts were also retained to assist the Town in dealing with the matter in accordance with industry best practices.
Based on the results of its investigation to date, the Town believes that some personal information in the Town's control may have been accessed or taken by the unauthorized third party.
The Town has taken steps to reduce the risk of misuse of any data affected by the incident. However, out of an abundance of caution the Town is issuing this notification to inform potentially impacted individuals that their personal information may have been accessed or taken by the unauthorized third party.
What information was involved?
The personal information that may have been accessed relates to current and former Town employees, current and former Banff residents and property owners, business owners, participants in municipal programs, applicants for employment with the Town, applicants and holders of municipal permits and licences, and individuals from out of town who have interacted with the Town through service requests or parking infractions, but not parking payment.
The types of personal information the Town collects about these individuals varies, but includes information such as names, email addresses, physical addresses, phone numbers and in some cases employment information, financial information, vehicle details, signatures, immigration status information, mortgage information, dependent information, drivers' licences, passport numbers, birth dates, marital status information, credit card information, and social insurance numbers.
What we are doing and what you can do
The Town takes the privacy and security of personal information very seriously and has been in contact with the Office of the Information and Privacy Commissioner of Alberta about the incident.
The Town's security experts continue to monitor for suspicious activity and the Town will provide updates as appropriate.
To date, there is no evidence that any misuse of personal information has occurred. The Town has also taken steps to reduce the likelihood of misuse of any data affected in this incident, in accordance with advice provided by cybersecurity experts. Individuals are encouraged to take basic steps to protect their information, such as:
- monitor accounts for suspicious activity;
- update passwords, using complex and different passwords for all accounts;
- use tools available from banking institutions to monitor account activity; and
- update personal security software and operating systems regularly to ensure these systems are up to date.
Contact the Town of Banff if you have any questions about these matters. Any inquiries for the Town of Banff in this respect can be directed to email@example.com or 403.762.1200 between the hours of 8:30 a.m. and noon, or between 1 and 4:30 p.m.
April 15 Update
The majority of computer systems and web applications that people in Banff use to interact with the Town are fully available, and more than 80% of all internal systems used by employees are operational.
The Town of Banff disconnected web-based systems after unauthorized access to its systems was detected March 19, 2022. Although most residents would not have noticed any interruption in services, the Town did not restore public access to some web-based applications, as a measure to secure its network and allow a careful investigation of the cybersecurity incident.
All emergency and essential infrastructure systems were uninterrupted. The Town’s online systems that are fully available include:
- All banff.ca information web pages
- Action Requests/Report a Problem service
- Emergency Alerts
- Roadworks Notifications
- Community Calendar of Events
- Town Council Agendas, live meeting video streaming, meeting agendas and decision minutes
- Requests to speak to Council
- All Town of Banff email
- Online meeting systems
- Business Licensing
- Job Opportunities
- Town Bid/Tender Opportunities
- Community Grant Applications
- FireSmart Assessment Requests and Applications
- Events, Banners and Commercial Filming Applications
- Banff Viewpoints public input projects
- Zero Waste Trail web modules
- The Aster housing sales portal
- Commercial Waste Request Services
- Facility Rentals
- Recreation Programs and Classes Bookings
- Visitor Pay Parking systems
- Construction Project updates
- Town social media accounts
Several systems remain offline as part of the ongoing investigation, including:
- Unwanted Item Pickup (call 403.762.1240 to book the free garage removal service)
- Development Permit Viewer (a temporary web page is available)
- Resident Parking Permits (register at Town Hall or call 403.762.1294 or email firstname.lastname@example.org)
- Traffic Dashboard and Web Cameras
The Town’s Corporate Services Department and the independent cybersecurity team continue to investigate the impact of the cybersecurity incident. The Town was never prevented from accessing any of its systems or data, and no evidence has been found of misuse of any data stored by the Town.
The Town collects information of community members as part of program administration. The investigating team believes that this personal information is not at risk.
The Town collects personal information from its employees for the purpose of payroll, benefits and/or tax purposes, including social insurance numbers, banking information and birthdates. It is possible that some of this information was accessed by the third party. Although there is no evidence of misuse of any personal information, the Town has offered an option of credit monitoring to its employees as a precaution to help employees safeguard against financial harm or identity theft.
March 29 Update
Early last week, the Town of Banff contracted independent cybersecurity experts to assist the Town in assessing the impact of a cybersecurity incident detected on March 19, 2022, and to strengthen the security of the Town’s computer and network systems.
Although the cybersecurity investigation is ongoing, our advisors have confirmed that some personal information may have been accessed in the incident, but it remains too early to determine the extent to which personal information was accessed and the nature of the information. The Town does not have any evidence that any personal information has been misused.
“The protection and privacy of our residents and their personal information is the highest priority for the Town of Banff. It was very concerning to learn that any personal files may have been accessed,” said Jason Darrah, Director of Communications. “We take this very seriously and are working with our advisors to assess the impact to individuals’ personal information. We will provide updates to potentially affected individuals as appropriate.”
Further information about the cybersecurity incident:
- The Town’s security systems immediately identified the cybersecurity incident and took immediate steps to secure the systems and mitigate the impact to data and operations.
- The Town never lost access to its data or information systems.
- The Town’s critical systems were unaffected. Systems such as those for emergency response, water and wastewater systems remained fully operational.
“We recommend all employees and members of the public who may have exchanged information with the Town to follow best practices in protecting personal information, such as creating strong, unique passwords for all accounts and updating them regularly, and checking banking statements and credit information frequently,” said Darrah.
The Town of Banff is committed to data safety and is conducting a careful review of all systems data and all security protocols. The Town will provide updates where appropriate on this web page.
Any questions or media inquiries should be directed to Jason Darrah, Communications Director, Jason.email@example.com or 403-762-1207.
March 24 News Release
The Town of Banff was subject to a cybersecurity incident on March 19, 2022, which affected the Town’s computer systems.
Upon learning of the incident, the Town of Banff took steps to secure its systems and mitigate the impact to their data and operations. Independent cybersecurity experts have been retained to assist the Town in dealing with the matter in accordance with industry best practices.
“The protection and privacy of our residents and their personal information is of utmost importance to the Town of Banff. A team of cybersecurity experts are assisting the Town in assessing the impact while simultaneously strengthening the security of our systems,” said Jason Darrah, Director of Communications. “The Alberta Privacy Commissioner has been notified and we will work with officials on this incident.”
The Town of Banff is committed to data safety and is taking the matter very seriously and is asking its employees, the public and its partners for their patience as it seeks to remediate the situation.
The Town is committed to providing updates where appropriate and will provide updates on our website. Any questions or media inquiries should be directed to Jason Darrah, Communications Director, Jason.firstname.lastname@example.org or 403-762-1207.