Oxford County employee information likely compromised by attackers

Lee Griffi, Local Journalism Initiative Reporter

“Through the ongoing forensic investigation of Oxford County’s cyber incident, we have determined there is reason to believe that the personal information of our current and former employees may have been compromised as a result of this incident.”

That was the opening of a county press release providing an update on the cyberattack that was first noticed just over two weeks ago.

“We are deeply sorry to share this news with our current and former staff,” it added.

Warden Marcus Ryan explained the county continues to walk a tightrope between being transparent and releasing too much information.

“We engaged cybersecurity experts and they said don’t say anything because the threat actors are listening and we could release information that could be useful to them. We’ve been constantly balancing that.”

He added the idea of being fully transparent by releasing all details surrounding the potential staff information breach was just too dangerous.

“There is a risk in that whoever did this knows that we know they accessed certain files. We have offered (current and former staff) credit protection, monitoring and identity protection on our dime. As the warden, I am sorry people’s information has been compromised.”

The Gazette again reached out to IT expert Carmi Levy, who said anyone affected should take the county up on its offer and go a step further.

“The damage has already been done. If you are a current or former employee, your data is already out there. It makes sense to take them up on that offer. It almost acts like another set of eyes. If you have been victimized yourself, you should have your eyes wide open and your head on a swivel, looking for strange transactions, messages in your inbox and signs your data is being used against you.”

Levy added that even people who haven’t had their personal information stolen may want to be proactive by purchasing some form of protection.

“It certainly doesn’t hurt that, as a matter of course or routine, you would subscribe to a service like this because anything that gives you additional visibility is a good thing. It reduces your risk of falling victim to future attacks. That being said, there is no way for anyone to ever completely reduce the risk to zero. All of us are at risk of having our data compromised.”

Behind the scenes, the tech expert painted a picture of what the thief or thieves are doing with the information they have managed to steal so far.

“They are assessing the data that was obtained during the breach. They are likely using it to prosecute further attacks by creating customized phishing messages to victims. Current and former employees might see a rise in the number of fraudulent messages showing up in their email, texts and social media inboxes.”

Levy added the data is likely being consolidated with other data sets obtained illegally and being sold to other criminal organizations.

“That’s the way the cybercriminal industry works. It’s based on data and, as new breaches occur, it is sold and shared on the dark web.”

Current employees have been contacted by email, while the county had planned to reach past employees by mail at their last known address — a step made impossible by the ongoing Canada Post strike. Ryan said an online portal is now being offered for former staff to update their contact information.

“We have a sub-group working on alternatives for that. There’s no conclusion yet, but it might be multiple different responses to reach as many people as possible. If former employees read this in the paper, they can go to the Oxford County website and update their information.”

Former employees can visit www.oxfordcounty.ca/it-incident-updates and click on “Update Your Information Now” to provide their details.

“At this stage, we are still investigating whether and to what extent the personal information of other groups may be compromised. If it is determined that the personal information of other individuals has been compromised, we will carry out notifications as quickly as possible to those affected,” added the county press release.

Ryan said he has spent hours on the ground with staff since the beginning of the incident and has been impressed with the response.

“As the warden, obviously, but also as someone whose personal information is in the county system and a resident, I have left every single one of those meetings with absolute confidence in what staff have been doing.”

Ryan said they had identified the issues and put a plan in place as soon as possible. He added his confidence has not been shaken.

“Obviously, I am saying that partly to you because it’s my job to express confidence in staff, but I have felt that every single day when I left. Every single thing we can do is being done and being done quickly.”

He added the cost of the response is within the 2025 contingency budget for emergencies, but that could change down the road.