City knew of massive cyber breach days before admitting it

Saint John officials waited three days before letting the public know of a massive cyber breach that exposed thenames and credit card information of thousands of parking customers, documents show.

The municipality's official line is that it learned of a malware attack on its parking fine server Dec.21, 2018, in a pair of online information technology news reports.

But documents obtained by CBC News show one of the reporters involved, Howard Solomon of IT World, contacted the city by email Dec. 17 asking forcomment on the breach.

He followed up the next day with a link to a U.S.-based cyber security blog, Gemini Advisory, that listed Saint John among dozens of cities hacked.

Was asked to call back later

The Gemini report even included the number of customers in Saint John who were affected.

In correspondence with Solomon, city communications director Lisa Caissie asks if he could call her two days later on Thursday, Dec.20.

"The story is out today," replied Solomon. "I can't tell my editor the story is going to be held two days."

The story described by Solomon was published online Dec. 18, by city IT staffers only read the article which singled out the city for special mention on Dec. 21.

Stuck to Dec. 21 date

That date has been used repeatedly by city staff in referencing the cyber attack both in internal emails, a document presented to council, and interviews with news media, including by Mayor Don Darling and Stephanie Rackley-Roach, the city'sdirector of corporate performance.

CBC reached Solomon in San Francisco, where the contributing writer to IT World is attending a security conference.

He said he contacted the city to find out what staff knew about the attack, when they found out, and what steps the municipality was taking to alert customers whose personal and credit card information had been exposed.

"The city never got back to me, which would suggest that they found evidence that there was indeed a breach," said Solomon.

While the record shows Solomon informed the city of the cyber attack, the city may not have immediately believed his information.

On Dec.19, the day following Solomon's exchange with Caissie, the city received notice from CentralSquare Technologies, the Florida company providing the Click2Gov parking server software, that there was no problem with the system.

"Resolution: Checked Click2Gov server for evidence of malware/possible breach, no evidence found of breach/malware," says the statement signed only "Customer Support."

City questioned accuracy

Disbelief in the cyber breach continued even into the morning of Dec. 21 when Caissie sent an email to Gemini Advisory saying the municipality had "concerns about the accuracy" of information reported inthe news story of the breach.

StasAlforov, Gemini's director of research and development, responded with a list of the names and addresses of 4,600 Saint John residents, or "victims," uploaded from the city's server over a 16-month period beginningJuly 2017.

Up to 6,000 users are believed to have been affected by the Saint John breach.

But even while staff weregetting incorrect information from the city's software support company, there is evidence they were informed a month earlierof a malware problem withthe municipal parking server.

User reported an issue

On Nov. 16, 2018, the city was contacted by Jason Landry, whose name, while redacted in numerous emails released to CBC, remains unredacted in at least one instance.

"My payment card was only just activated yesterday and only to pay my parking ticket," wrote Landry. "My card number was leaked and used three times last night for purchases in the U.K."

A followup internal email posted at 11:01 that night by Robert James, the city's operations manager for IT infrastructure, said CentralSquare checked the Saint John server and "see nothing out of the ordinary and no sign of a breach."

CBC was unable to reach Landryon Tuesday.

The city tookit's click2gov parking server offlineDec. 21 and a new system is expected to put into operationduring the second quarter of the year.

A spokesperson said city staff are working on a response to a CBC request for comment on documents obtained through a right to information request.

Darling could not be reached for comment.