Revelstoke Mountaineer white-hat notification of data security issues causes City of Revelstoke to disable emergency notification system | #emailsecurity | #phishing | #ransomware

A wildfire smoke tinged sunset on July 15, 2021 casts a pink hue onto the white Revelstoke City Hall. Photo: Aaron Orlando/Revelstoke Mountaineer Magazine

The City of Revelstoke has disabled its emergency notification system after notified the city of data security issues with the system.

The city’s opt-in emergency alert system sends emails or text messages to subscribers. The system notifies subscribers on a range of city communications, including emergency communications. The system covers the City of Revelstoke and also Columbia-Shuswap Regional District Area B (CSRD). The remainder of regional district uses a separate system administered by the CSRD.

In a July 16 statement, the city said that the system had been disabled due to security issues, and pointed those seeking emergency information to its website and social media accounts for the time being.

An alert issued by the City of Revelstoke on July 16 notifying that the system was being discontinued due to data security issues. Image: Screenshot of City of Revelstoke alert notification dated July 16, 2021

The city said it was in the process of changing to a new emergency notification system and would make an announcement when that system was in place. It did not provide a timeline.

Where to find emergency notifications in the interim

The City of Revelstoke is advising residents to follow its Twitter and Facebook accounts for real-time notifications. The city’s emergency alerts are also still available on its website and are usually located at the top of the page.

What the data privacy issue was and how we discovered it

On July 15, we spent the day working on a story designed to promote the use of the notification system in order to improve local community emergency response communications.

However, while working on the story, we noticed issues with the system, namely that we could log into others’ accounts and change their preferences, including shutting off their notifications. All that was required was the email address of a user signed up to the system, no password.

Responding to our critical story about emergency communications issues from Wednesday, resident Simon Wex then reached out to us on July 15 to point out additional issues, including the fact that with some simple code, one could download the telephone numbers of users of the system and match them with emails, a concerning privacy violation.

On the morning of Friday, July 16, sent a private white-hat notification to the City of Revelstoke noting the potential personal data and security breach.

A couple hours later, the city announced that it was suspending the push notification system, although the general alert system on the city’s website remains active. The decision to turn off the system was the city’s alone.

Wex has technical expertise in mass text notification systems. He also raised concerns about the system’s ability to scale up to send thousands of texts. He presented a technical explanation outlining concerns that the system may be able to send hundreds of notifications, but would not work properly or in a timely way if it were required to send thousands of notifications. However, the point may be moot for the time being since the city has deactivated the system due to privacy concerns.

Mountaineer activism nearly doubles subscribers to Revelstoke emergency notification system before it was shut down

On July 14, the City of Revelstoke issued a media release listing emergency preparedness communications and preparedness resources. This statement came in response to a July 9, 2021 information request by for clarification of the emergency communications protocols, such as in the instance of an evacuation alert or order issued due to an interface fire.

Despite being in place for almost 10 years (we are not sure exactly when it was implemented — it may have been more recently), the city’s emergency notification system has been poorly promoted. As a result, it only had 228 subscribers, despite it being the fastest way to receive urgent emergency communications in the event of a major emergency response in Revelstoke and CSRD Area B. It is also the “push” notification system used for local emergencies, meaning you can set up to notify you by text message 24 hours per day. It can notify you of an evacuation alert in the middle of the night, for example.

Since the city issued its statement and published a well trafficked story listing critical communication issues with the city’s emergency response, 207 new users have signed up to the system in the past 48 hours, bringing the total to 435.

See our July 14 story pointing out Revelstoke emergency communication issues here:

Opinion: Revelstoke officials need to clarify emergency response communications ASAP

In order to promote community security, we intended to follow up today with a story that directly promoted signing up for the system that should be the fastest way to get official government information during major local emergencies. However, noting the data security issues, we decided it was best to first point out the problem to the city, which then opted to shut down the notification portion.

Notification system did several things, not just emergency notifications

The city notification system performed several notification functions, not just emergency notifications. When you signed up, you could select tick boxes for the kinds of notifications you wanted to receive. They included things like parks notices, road work notices, city contract tenders, in addition to emergency notifications.

One of the challenges the emergency notification system faced was it was only used during specific high-level emergencies, such as evacuation alerts. It was not used for things like residential fires or smaller everyday emergencies that don’t require broad public notification. As a result, it was rarely used and many may not have been aware it existed.

We’ll update readers when a new system is in place

When the city provides further information on its new system, we’ll be sure provide an update. For now, they are advising following their social media channels or website.

Whether it’s COVID-19, interface wildfires, or other timely government communications matters, it’s our philosophy that government should adapt to technology and automate communication systems to best serve the public with critical information and data in a timely way. In the past year, we have reached out directly to emergency services organizations such as police and fire in Revelstoke and advocated for them to adapt to the digital times and optimize their emergency communications systems.

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

+ 4 = twelve