On Thursday, Aug. 26, 2021, IT staff at Sault Ste. Marie Police Service received an urgent alert from their remote monitoring software.
Two of their computer servers had gone offline, they learned.
It turned out someone had locked the police out of their own administrative and records management systems.
Exploiting a vulnerability in an email server's software patch, or a device connected to their public-facing IP addresses, a bad actor had encrypted the police data drives.
Four days later, Sault Ste. Marie Police Service acknowledged in a brief news release that a virtual ransomware attack had occurred.
"At no time was our ability to respond to calls for service compromised," they said.
IT staff were "working through the attack to regain access to effected [sic] systems," the release said.
Over the months since then, police have released only occasional crumbs of additional information about the attack, insisting there was no privacy breach.
Now, Ontario's Information and Privacy Commissioner is begging to differ.
"Respectfully, I disagree with the police’s position that the attack did not amount to a privacy breach," says investigator John Gayle in a report issued by the commissioner this month.
"I am not satisfied that the police responded adequately to the breach because they have not reviewed their policies and practices in protecting personal information post-breach," Gayle says.
The commissioner has told Sault Police to review their policies and practices to determine whether changes are needed to protect personal information.
He's also given them three months to demonstrate their training materials constitute reasonable measures to stop unauthorized hackers from gaining access to sensitive police records.
The information involved in the 2021 attack was indeed sensitive.
We now know from the commissioner's investigation that the records covered:
- human resources
- finance services
- public complaints
- freedom of information requests
- the criminal record check database
- taxi/limousine administration
- the warrant shared database
- closed-circuit television footage
- audio from the police communication system
- the police intranet
The difference of opinion on whether there was a privacy breach at police headquarters hinges on a legal definition.
The police argue that the affected information was never stolen, only encrypted in place.
"The purpose of the attack appears to have been to hold it ransom," Gayle says.
The commissioner nonetheless maintains that encryption of city police documents is still an illegal use of personal information under Ontario's Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).
"In this matter, the police reported that the threat actor encrypted records of personal information making the information inaccessible to the police. In my view, transforming the accessibility of the information was a kind of 'handling' of or 'dealing with' that information by the threat actor and, therefore, a use within the meaning of Section 31 of MFIPPA," Gayle says in his report.
After learning about the attack, police immediately shut down their servers and took action to contain it.
They then contacted and worked with law enforcement organizations and third-party organizations to investigate the attack.
They rebuilt their IT infrastructure, replaced servers and cleaned any accessible data on computers of individual users.
Other steps taken by the police included:
- moving from local networks to cloud-based email servers
- enhancing and increasing network segregation
- adding a network activity, server and device monitoring tool that provides real-time alerts to their IT staff and third-party consulting agency
- adding endpoint detection and response to their antivirus solution for all workstations and servers, allowing for faster triage and isolation should a threat actor be detected
- enhancing their security operation centre with 24-hour monitoring of server and workstation activity by a third-party vendor providing alerts about abnormal resource usage and malicious activity
- changing and moving their remote monitoring and maintenance software to a hosted solution that enables high security and availability to manage all their network connected devices
"Despite these steps, the matter moved to the investigation stage of the Information and Privacy Commissioner's complaint process because this office had concerns about the police’s response to the attack, as well as the measures in place to prevent unauthorized access to records within the police service," Gayle wrote.
"As part of my investigation, I requested and received written representations from the police. Wherever possible, I have left out references in this report to the specifics of the police’s cybersecurity safeguards, as per the police’s request."
Gayle said he saw no need to re-notify individuals affected by the privacy breach, given the time passed in the three years since 2021.
"However, the police confirmed that they did not review their policies and practices in protecting personal information because they believe that a breach did not occur based on finding no evidence that personal information was obtained or exfiltrated due to the attack."
"Despite my requests, the police did not provide this office with materials relating to their privacy training practices. Without the power to compel production of this material and without the opportunity to otherwise review these practices, I am not satisfied that they constitute reasonable measures in place to prevent unauthorized access to records," the investigator wrote.
"Within three months of receiving this report, the police should provide this office with proof of compliance with the above recommendations," he said.
The commissioner's report doesn't address whether a ransom was paid, how police files were rebuilt or what percentage of police files couldn't be recovered.
In May 2022, SooToday exclusively reported that the cyberattack stopped police from recording security camera footage for eight months.
Evidence presented in proceedings against Cst. Craig Johnston, who was fired this month by city police, suggested audio recordings of some phone calls and radio transmissions were never recovered after the privacy breach.
The commissioner's report also made no reference to an apparent privacy leak revealed last year by SooToday's James Hopkin, in which classified Sault Ste. Marie Police Services Board documents were made available online.