The “pwning” of Clearview staff emails and passwords

If you’re a victim of a data breach, you’ve been “pwned”.

“pwn”,  means “to compromise or take control, specifically of another computer or application”and is of concern when there is a data breach that allows the names and passwords of users of that database to be seen by others.

A recent check of email addresses has confirmed that a number of Clearview staff have had their corporate email accounts pwned. If the passwords used by those parties on their “keep fit” and other sites are the same as used for Clearview business, then the “ungodly” may well have free access to the systems of Clearview Township and have an easy time holding the township to ransom.

Perhaps as part of any ongoing due diligence towards ensuring that the digital records of the municipality are protected against malware and ransomware, council might like to ensure the security of taxpayer information and ask why CAO Sage is on that list after having his “keep fit” records breached.

I understand breaches of sites such as Adobe that may well have been used for “Clearview business” but I do not believe that it is appropriate for staff members, especially the CAO, to be using their business email addresses for such items as “keep fit” records that would contain personal and not business related information. In any corporate environment that I have been part off, the use of business emails was denied for personal use and I would hope that the rules for Clearview Township are equally explicit and enforced.

Other Clearview staff who have also been pwned are:

jlachapelle, jchester, deagles, bmazaris, rpittendreigh, mrawn and mvaleva.

These breaches of the most basic digital protocols are exactly what has lead to municipalities like Wasaga Beach, Midland and Stratford being held to ransom when their databases are accessed and locked by hackers. Of concern to taxpayers should be the costs of their township being subjected to ransomware.

Questions for council regarding this breach of security by staff:

  • Are staff members allowed to choose their own passwords?
  • Are passwords secured and changed on a frequent basis?
  • Is the minimum complexity of email passwords set to a high standard?
  • Are staff members allowed to use their email addresses for “personal” matters such as keep-fit registrations?
  • In light of the fact that the CAO and two members of the IT team at Clearview are on this list, what steps has council taken to ensure the understanding of the need for security by these specific individuals?
  • What processes are in place to hold staff abusers of the need for privacy and security personally responsible for the costs of any privacy breaches or ransomware incursions?

Any municipality that is reliant solely on insurance to recover the costs of a ransomware attack is suspect. Insurance will not cover basic errors and omissions in preventing openings such as pwn for attackers to get inside of a municipal data centre. The very fact that Clearview staff emails have already been pwned on sites that were being used for their PERSONAL data records should be of great concern to council.

An advisement of these issues was sent to Deputy Mayor Burton, Council and Councillor Paterson on JULY 04, 2019.  To date (August 11, 2019) there has been no response related to this very concerning breach of Township IT resources from any of those parties!

Leave a Reply

Your email address will not be published. Required fields are marked *