City's Online Security System Successful in Blocking Attempted Security Breach

On Friday, August 2, 2013 City of Victoria IT staff became aware of the potential for the City's web services system to be compromised, which could result in unauthorized access to personal information. City staff have since determined that all attempts to reach personal information were unsuccessful. No accounts were accessed and citizens' personal information is safe.

What Happened

An attempted attack was made to the City's server hosting an application for tax and utility account holders using the City's pre-authorized withdrawal payment program. The information potentially at risk was name, address, and bank account numbers (as found on a personal cheque).

Banks and credit unions have confirmed that even if the information had been accessed, it is highly unlikely that a person's bank account could be at risk as the City does not store key information to allow access such as PINs or passwords. The information that was potentially at risk is the same found on a personal cheque (name, address, account number).

This incident was part of a worldwide attack on a common software application Cold Fusion that is used for a number of web-based applications. Several attacks have occurred throughout North America. While many were impacted, municipalities were not the specific target in this case.

What the City is Doing

Staff are reviewing the practices and procedures currently in place to ensure a high level of security is maintained at all times.

The City adheres to industry best practices with respect to security and has multiple layers of security in place throughout its information technology systems.This provides redundancy in the event a single security control fails or is exploited. It was this level of security that prevented any disclosure of sensitive information in this incident.

The City has passed each and every external third party security audit performed as part of our banking partners contractual requirements. The City's security systems block more than 1.8 million unauthorized attempts to access the network each year.

What You Can Do

While no users' data was compromised in this incident, the City is still encouraging people to follow best practices for online and banking security.

Best practices include monitoring financial accounts for unusual activity, using a different password for each online account (banking, utilities, email etc), changing your passwords and PINs often, avoid using a password or PIN previously used, never making the password the same as your user name, and to keep all passwords and PINs private at all times.

The City of Victoria takes data security very seriously. If residents have any questions they can contact the City by emailing inquiry@victoria.ca and staff will respond as soon as possible.

Changing Your Password and Security Question for MyCity

  1. Go to www.victoria.ca/mycity
  2. Login to the service
  3. Select the Profile menu on the left side
  4. Change your security question and then select Update Your Profile
  5. After updating your question, select Change Password and change your password