The City of Hamilton had to notify 1100 residents that their email addresses may now be known by spammers following a data breach by a city contractor.
Municipal Media Inc. operates the City’s “Recycle Coach” app, and informed the City last week they had failed to follow information security procedures to prevent unauthorized access to their mailing listserv, resulting in 1,100 Hamiltonians having their email address exported by the unauthorized user.
The City of New Westminster was very transparent about the breach, posting the full statement sent by Municipal Media Inc to municipalities. Over 55,000 email address were exposed.
“The perpetrator got access to MailChimp when one of our employees email accounts was hacked”, wrote Creighton Hooper, President of Municipal Media Inc.
Hooper provided no further details of how the account was compromised. In most similar cases, this is the result of an employee falling for phishing scam.
Recycle Coach created their Mailchimp listserv in December 2017 to promote new versions of their apps for devices such as Alexa and Google Home.
Municipal Media failed to implemented the simple security procedure of two-factor authentication.
Microsoft Regional Director and MVP for Developer Security Troy Hunt commented on this failure, noting that Mailchimp gives users a discount for implementing this simple security procedure.
Looks like a breach of @RecycleCoachApp’s @MailChimp account. Assuming the usual poor password and lack of 2FA vector, remember that @MailChimp will actually give you a *discount* if you enable 2FA! pic.twitter.com/6r6DYQVkad
— Troy Hunt (@troyhunt)
Password software company 1Password openly mocked Municipal Media for failing to implement strong passwords and in two-factor authentication. “When it comes to passwords, reduce, reuse, and recycle is not the way to go” tweeted 1Password to Municipal Media.
Municipal Media President Hooper says customers have responded to the breach by contacting them to “to let us know how much they like our service”.
Hooper ended his statement saying “We take security very seriously and have tightened our procedures to ensure that this doesn’t happen again. Our apologies and thank you for understanding”.
All evidence to the contrary on security.