Saint John will rebuild from scratch after cyberattack, cover costs from reserves
'Extensive' attack means rebuilding is better choice, city manager says
The City of Saint John will pay to build a brand new network after its systems were taken hostage in a cyberattack, but it won't be cutting services to do so.
The city was hacked on Nov. 13 of last year and has been trying to recover, incrementally returning email and phone services to employees and pivoting to different payment methods for parking and building permits.
In his regular update to common council Monday, city manager John Collin dispelled a rumour that the city has already paid a ransom to the hackers, and confirmed the city will rebuild its network from scratch instead of recovering what it's lost.
"Our analysis has confirmed that the degree of penetration of the virus was indeed extensive," he told council.
Because of this and "several other reasons," Collin said repairing the system is not the best choice.
Collin said this will prevent the risk of any virus remnants staying in the system. He said this route "will take time;" the rebuilding will likely take until April or May if all goes well.
"I must tell you that to rebuild everything over a four- to six-month period is still very ambitious," he said.
The city has been relying on a temporary workaround to pay employees and is operating a temporary website.
It's not clear exactly how much this cyberattack will cost the city at the end, Collin said, and he won't share an approximate number.
"Although we can approximate some of the public costs, we are not yet ready to describe the entire cost in detail," he said. "We will return to council with the exact cost to the public once they are confirmed."
He said the city will have to pay insurance deductibles, but insurance will cover the cost of restoring the city's "previous capabilities."
When the city rebuilds, however, it plans to make improvements, which will come out of the city's IT reserves. He said the cost will not force the city to revisit its budget.
Public will know if city pays ransom
Collin said if the city decided to pay a ransom, it would be a council decision and would be made publicly.
"I will not say any more at this time, since we must not give any valuable information to those who have attacked us," he said.
He said almost all municipal services will continue to be offered, including fire and police.
The city is still working on restoring metered water bills, which are expected to start being delivered again this week. The city is also limited in issuing parking tickets and providing land transaction services.
City still not sharing certain information
Exactly what it has lost is still not clear. The city has not shared many details about who the attackers were and exactly what information was compromised. Collin said this is intentional.
"We do not divulge information that could be useful to those who attacked us. This includes giving them nothing on what systems they successfully compromised, how we contain the virus or how we are mitigating against potential future attacks."
He also said police are invetsigating the "hostile actors" but did not say which agency.
While the city won't share some information, it has advised residents to keep an eye out on their bank accounts and watch for suspicious activity. A cybersecurity firm previously told CBC it hasn't found payment card data from the City of Saint John in the dark web.
Collin said Monday that the city hired experts from the private sector for a forensic analysis to find out if information such as residents' credit card information or social insurance numbers were compromised.
"Although we have yet to receive the final report, indications so far are that no [personal identifying information] has been leaked or stolen," he said.
"We do not expect this to change in the final parts of the forensic analysis."
Collin said the city doesn't keep a lot of personal information on hand.
"Most of our needs are satisfied through cloud-based applications. Therefore, we do not store this information within our networks," he said.
Collin said immediately shutting down the network to stop the spread of the virus seems to have stopped the virus from spreading to other networks.
"We have no indications whatsoever that there was any spread of the ransomware from any city-owned assets or systems to others," he said.
Councillors did not have any questions for Collin after his cyberattack update.