Monday, May 6, 2024

Integrated Library System impacted by data breach

Courtesy of the Cariboo Regional District:

The Cariboo Regional District has been informed that the integrated library system (Sitka) of the Cariboo Regional District Library Network was recently impacted by a data breach.

On April 25, 2024, our ILS (integrated library system) provider, the BC Libraries Cooperative, (the Co-op) notified us that they had experienced a security incident. The data breach impacted users of several library networks which use the ILS system, operated by a third-party service provider. The BC Libraries Cooperative has released a statement about the incident on its website: https://bc.libraries.coop/news/cyber-security-incident-april-19/

Log files on their servers were compromised that contained the email addresses and phone numbers of patrons who had received automated notifications from the library system (i.e., checkout notices, overdue notices, hold notifications) between March 27 and April 19.

This is the limit of what was obtained – patron email addresses or phone numbers and nothing else.

The leaked information is limited to any notifications sent between March 27 and April 19 through email or SMS text, and is limited to only the email address or phone number the notification was sent to. The content of the notifications was NOT leaked. The leaked data does not say what the notifications were about, and it does NOT reveal any other information about patrons or their library use, such as checkouts and holds.

The Co-op informed us that the exploit which allowed the attacker to gain access to this log file was closed on April 19, 2024. The Co-op is not able to provide a specific list of affected emails, and therefore we are required to take an Indirect Method of contact with our patrons. We have placed a notice on our website and have also linked to that notice from within the affected software, describing the extent of the breach and steps patrons can take to help combat any potentially resulting spam or phishing attempts. The Office of the Information and Privacy Commissioner will also be notified of the breach, as required by the Freedom of Information and Protection of Privacy Act.

We want to reassure all library patrons that the Cariboo Regional District and the Cariboo Regional District Library Network will not contact you by unsolicited email or text messages to demand an online payment, request personal information, or to obtain sensitive information. The Library Network’s system will contact you only in one of two circumstances:

  • To provide you with a receipt of borrowed materials.
  • To let you know that an item you’ve requested is available.
  • To send reminders to return overdue items from the library collection.

The Canadian Centre for Cyber Security has several resources available that seek to educate others about cybersecurity risks, including those presented by phishing scams. They have recommended several ways you can protect yourself and your information, including:

  • Verify links before you click them. Hover over the link to see if the info (sender/website address) matches what you expect.
  • Avoid sending sensitive information over email or texts.
  • Back up information so that you have another copy.
  • Apply software updates and patches.
  • Filter spam emails (unsolicited junk emails sent in bulk).
  • Block IP addresses, domain names, and file types that you know to be bad.
  • Call the sender to verify legitimacy (e.g. if you receive a call from your bank, hang up and call them).

Anyone with questions about the data breach and any appropriate measures that are being taken to protect the information of library patrons can contact the Manager of Library Services at 1-800-665-1636 or by email to mailbox@cariboord.ca. For more information on how to protect yourself from phishing scams, you can also visit the Canadian Centre for Cyber Security’s website: https://www.cyber.gc.ca/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks

No comments: