Your name, address, maybe even your credit card – if you’ve used the city of Regina’s website to pay a parking ticket or a water bill it’s likely that information is stored in one of their databases.
But how safe is that information?
“I wouldn’t pay my water bill on that site,” Russell Stephanson, a cyber-security consultant with 15 years of experience stated flatly.
On Tuesday, a city of Regina email was hacked, and used as a phishing tool to try and get passwords and emails from other city of Regina staff as well as external groups.
They’re not the first city to experience a breach but according to experts, municipalities need to be more prepared for digital threats.
“The city of Regina while not negligent, is far below standard there are a lot of best security practices that are not followed,” Stephanson asserted.
The city declined to comment on the nature of the breach, but said in an emailed statement “Cyber security is a top priority for the City of Regina and we are committed to providing a secure cyber environment to protect our employees and residents.”
They also said they’re not aware of any city data being compromised other than the email address list of one employee.
Stephanson isn’t so sure.
“Was that all that was done? They could have a vast mailing list of everybody that has signed up for that website, they could have more information. The city has said they’re unaware, but they likely aren’t able to ascertain exactly what was hacked,” he said.
Stephanson conducted a security test of the city’s website using only publically available data.
He found 30 different vulnerabilities.
“There are some security issues in regards to bypassing the security measures that are there and without having these best safety practices set up, the second a vulnerability is there, it makes it even easier to attack the site,” he noted.
The city allocated $1.2 million dollars last year to redesign the site – but Stephanson says the current site wouldn’t even pass a security check from 2012
“The issues with the city’s website is they use a content management system which doesn’t allow for proper CSRF tokens, which means it’s susceptible to cross-site scripting. Until you implement that there is a question of whether the security level that should be there, is there,” he noted.
“We have lots of old systems. Any system out there, whether it’s in government or municipal settings, the older those systems are the more exploitable they are,” Alec Couros, a professional of technology at the University of Regina added.
The city’s upgrade – slated to be fully released in spring 2019 – was a redesign and doesn’t even include security.
“You can’t just invest in infrastructure, you have to invest in helping the public understand when they might see the warning signs of a social engineering risk,” Couros said.