BC Freedom of Information and Privacy Association
Your Data Your Rights
Oxford County has released a few more details regarding what is now being called a “cybersecurity incident,” but very few details are known.
“Last week, we shared that Oxford County was responding to a technical incident relating to its information system,” said a Monday afternoon press release. “We shared this update ahead of full information to be as open as possible, as early as possible, with residents and partners.”
The county’s communications department has confirmed the following details:
• Oxford County was subject to a cybersecurity incident. As soon as Information Technology (IT) staff identified unexpected activity, they worked to prevent any further unauthorized activity.
• The county engaged third-party cybersecurity experts to assist with containment, remediation, and to conduct a forensic investigation.
• In addition to the measures we had in place before this incident, we are working with our third-party cybersecurity experts to introduce additional security measures as needed to mitigate potential future harm to our system.
• At this time, all systems are operating normally and there are no changes to the services we provide to the public.
“Our focus from the start has been, and will continue to be, determining whether and to what extent information within our systems may be compromised,” explained Warden Marcus Ryan. “We operate with a high degree of caution and awareness when it comes to cybersecurity. It is disappointing for us to share this news, and we acknowledge the concern it may cause for our residents and partners.”
The Gazette reached out to Carmi Levy, a well-known London-based technology expert, for his thoughts on the situation. He explained when governments, organizations, or other public-facing entities fall victim to a cybercrime, they often find themselves forced to strike a balance between informing their stakeholders of what has happened and not tipping off the attackers or otherwise worsening an already challenging situation.
“It’s a bit like walking a high-wire, because there’s a very fine line between just enough and too much. The harsh reality of the immediate aftermath of a cyberattack is the county may not necessarily know all the specific details of how the event played out, what caused it, what’s impacted, what isn’t, what’s safe to continue using, and what needs to be sidelined while the investigation continues.”
He added the recovery often involves days, weeks, or even months of painstaking detective work to fully understand the breadth and depth of the attack and build an appropriate recovery strategy that balances safety, cost, and risk minimization.
“This effort requires the input of a wide range of competencies, which the country may or may not already have on staff. And as they work with newly engaged third-party specialists to investigate and recover, they’re challenged with continuing to maintain an optimal level of service to residents even while the crisis is unfolding. It’s akin to rebuilding an airplane while in flight, and it is a tremendously difficult balancing act to pull off – hence it’s often understandable why not every last detail is necessarily shared either early on, or at all.”
Levy said the county is not deliberately withholding information from residents, adding that its communications approach follows cybersecurity best practices developed through a growing number of similar incidents elsewhere.
“They’re sharing what they can share as they can share it. They have effectively set expectations that this will be an ongoing, longer-term event, and further information will be released as it becomes known, as appropriate. This is to be expected and suggests county officials are leveraging both internal systems expertise and guidance from third-party organizations and specialists who have been engaged to manage this crisis.”
“We ask for your patience as we continue to respond to this incident. We are committed to providing you with as much information as we can, as we are able,” added Ryan, who explained municipalities are frequent targets of cyberattacks. “Please be aware that our full response to this incident may occur over months, not days. As with any type of investigation, there will be details we cannot publicly share without compromising the investigation and our response to it.”
The City of Hamilton was hit by a ransomware attack in 2024. Hackers demanded about CAD $18.5 million, but the city refused to pay. Instead, most systems were restored from backups as staff worked alongside cybersecurity experts and law enforcement.
Many city services and systems were disrupted, including online payment systems, transit and telephone lines, accounts payable, licensing and permit applications and vendor payments. Emergency services, water/wastewater treatment, and curbside collection were not affected. By mid-2025, the cost to the city was about CAD $18.3 million for the immediate response, system recovery and external expert support.
Levy explained, at least so far, the impact on the county is less pronounced than in other attacks.
“Oxford County has been able to maintain ongoing normal operations of all systems, compared to other governments that have had to shut down critical systems such as websites, payment portals, and even library lending platforms for months at a time. In some cases, systems were not recoverable and had to be rebuilt from scratch. So far, their systems operations do not seem to be affected, which is a major relief for residents.”
Levy added that the county has likely activated an all-hands response to the crisis. In such situations, victims often establish a ‘war room’ to bring together key stakeholders—including county staff and third-party experts—in a single coordinated space.
“They’ll likely be working closely together to understand how the attack happened, where the critical vulnerabilities could have been, how the attack is impacting operations, accounts, and data, and what steps need to be taken in the near, mid, and longer-term to close off those areas of weakness and move toward a final resolution.”
The county’s best-case scenario is that no resident information was stolen, and that the root cause of the attack is identified and addressed with enhanced security measures to reduce the risk of future incidents. Levy said the worst-case scenario is far worse.
“Residents’ data is breached and they are faced with the prospect of personal information, potentially including government-issued identification, financial information, and usernames and passwords falling into the hands of criminals who would then use it themselves to amplify future attacks, or sell it to other criminals who would use it for similar purposes.”
He added in the hands of criminals, personalized data can be used to craft sophisticated, customized phishing messages that mimic those originating from legitimate organizations. Authentication data can be used to attempt to break into other accounts. The data can also be shared with or sold to other criminals anywhere in the world.
“This is a risk that doesn’t simply disappear once the headlines surrounding this particular attack fade. The risks persist over time, and in fact grow as future attacks add to the pile of breached data available on the open internet and dark web.”
The Local Journalism Initiative (LJI) is a federally funded program to add coverage in under-covered areas or on under-covered issues. This content is created and submitted by participating publishers and is not edited. Access can also be gained by registering and logging in at: https://lji-ijl.ca
You can support trusted and verified news content like this.
FIPA’s news monitor subscribers, donors and funders help make these available to everyone rather than behind a paywall. We appreciate every contribution because it makes a difference.
If you found this article interesting and useful, please consider contributing here.
