Information Privacy

Background Information

Elgin County was the target of a cyber incident and access to its network was gained through sophisticated means by an unauthorized third party. On May 3^rd, 2022, the County of Elgin was alerted by our cybersecurity consultants that certain County of Elgin data was accessed without authorization and posted on the “dark web” internet.

Unfortunately, cyber incidents like this are becoming much more common and while we have long had robust security protocols in place, tactics are constantly evolving. As a result, we are continuing to work hard to strengthen our defenses further.

Please review the following Frequently Asked Questions for more information.

Elgin County recognizes that this data breach may cause inconvenience and concern for impacted individuals. We take your privacy very seriously. We want to assure you that we are working tirelessly to manage this situation in a diligent and responsible way, and apologize for any inconvenience or concern this incident may cause. We would like to thank our staff and the community for their ongoing patience and understanding.

We are still in the process of completing an audit to determine the exact scope of the breach. As part of our commitment to providing timely and transparent communication wherever possible, we will advise impacted individuals of any potential breaches.

We will update our list of Frequently Asked Question and answers as more information becomes available.

Sections included in the FAQ:

General Questions
Questions about Protecting Yourself
Questions about Notifications
Questions about Credit Monitoring
Questions about what to do next
Other Support and Resources
Media Contact

Read the media release here: County Issues Notifications on Cyber Security Incident Media Release

Frequently Asked Questions

General Questions

What happened?

Around April 1^st, 2022, the County of Elgin was the target of a cyber incident and access to its network was gained through sophisticated means by an unauthorized third party.

In connection with the cyber incident, certain County of Elgin data was accessed without authorization. On May 3^rd, 2022, the County was alerted by our cybersecurity consultants that some of this data was posted on the “dark web” internet, part of the internet that you can’t find with traditional search engines such as Google.

The County of Elgin values privacy and security and is enhancing safeguards and protections of its information and systems.

The County has contained and remediated the cyber incident and is:

transitioning to a more secure solution;
cooperating with the Ontario Provincial Police; and
working with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted, and to whom the data belongs.

On May 13^th, 2022, the County of Elgin sent letters by Canada Post to impacted staff (current/former), retirees, as well as impacted residents (current/former) of Elgin’s Long-Term Care Homes where current physical addresses are available. At this point in our investigation, there is no evidence to show that general members of the public were impacted by the County’s data breach.

The County has worked deliberately, while taking care to provide information to impacted individuals as quickly as it could.

We are working with a team of third-party cybersecurity experts to investigate the incident further and are taking all necessary steps to respond to it. The investigation is ongoing and we will share any relevant information as it becomes available.

What is the "dark web"?

The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. It is the part of the internet that you can’t find with traditional search engines such as Google. Because it is hidden, getting to the dark web isn’t easy.

Who attacked the County of Elgin?

We have notified the Ontario Provincial Police, the Province’s Cyber Security Team, and the Information and Privacy Commissioner of Ontario. Law enforcement’s investigation of this incident is ongoing and we will actively cooperate with the authorities as they conduct their investigation.

We can’t provide additional information regarding the investigation at this time.

Was this a ransomware attack?

This incident does not appear to be a ransomware attack. Ransomware is a malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key which would allow an organization to regain access to their files.

We are working with a team of third-party cybersecurity experts to investigate the incident further and are taking all necessary steps to respond to it. The investigation is ongoing, and we will share more information as it becomes available.

Whose information was impacted by the County of Elgin data breach?

While the investigation is ongoing, evidence shows that an unauthorized third party gained access to files containing personal information belonging to:

some current and former staff of the County of Elgin; and
some current and former residents of Elgin’s three (3) Long-Term Care Homes.

340 total individuals were impacted, 33 of which were highly sensitive and for whom credit monitoring and theft protection services will be provided. At this point in our investigation, there is no evidence to show that general members of the public were impacted by the County’s data breach.

What kind of information was impacted?

The County of Elgin takes the protection of data and privacy very seriously. We are in the process of completing a comprehensive external forensics audit to determine the exact scope of this breach. For those individuals impacted by a sensitive personal breach, free credit monitoring and identity theft protection will be provided.

The County of Elgin has no evidence to suggest that personal information was used to commit fraud or identity theft as a result of this incident. However, we do recommend that you remain vigilant and report any suspicious activity related to your personal information while the forensic audit is ongoing.

As a result of a thorough investigation, the County has identified individuals whose information was impacted by the County of Elgin data breach and, as of May 13^th, 2022, sent the appropriate individual notifications via Canada Post where physical addresses are available. If the County does not have a physical address, but does have an email address, it has sent the notification via email. The County has worked deliberately, while taking care to provide accurate information, as quickly as it could.

Why would someone want this information?

While the exact motivation of the incident is unknown, we continue to work diligently with leading cybersecurity experts to gain a full picture of events. In the meantime, we recommend that you remain vigilant and report any suspicious activity related to your personal information while the forensic audit is ongoing.

Does this mean I am the victim of identity theft?

If the forensic audit reveals that sensitive personal information has been accessed in some cases, we will notify those affected and take steps to protect them, including offering free credit monitoring services.

Why did this take so long and why wasn't I contacted sooner?

This is a complex situation, and as soon as we discovered the cybersecurity incident, we engaged a cyber-forensics firm to conduct a comprehensive investigation and assist in our remediation efforts.

We are still in the process of completing this audit to determine the exact scope of the breach. Our commitment is to provide timely and transparent communication whenever possible.

The County was aware of the data posted to the Internet on May 3^rd, 2022. Nonetheless, to gain a comprehensive and complete understanding of the full extent of the attack’s impact, a leading forensic cybersecurity firm was engaged to determine precisely what happened and what data was access or acquired without authorization.

As part of that investigation, and to provide accurate information to impacted individuals, the County began analyzing the files, working with our external cybersecurity experts. As part of that effort, the County initiated a process to conduct a careful inspection of each and every file to determine what information was potentially affected in order to be able to provide accurate information and to give notice to each individual whose personal information was impacted.

In addition to using sophisticated tools to parse and search the data, the County also conducted a manual review of each and every file. This was a labour-intensive and time-consuming process that involved hundreds of hours of detailed review and analysis. The County used its resources to complete this investigation and analysis as quickly as it could, and, as of May 13^th, 2022, sent the appropriate individual notifications via Canada Post.

The County of Elgin takes the protection of data it holds very seriously. If this process concludes that sensitive personal information was accessed, we will be taking additional steps to inform and protect those affected, including offering qualifying individuals free credit monitoring services.

The County will update information on its website regularly https://www.elgincounty.ca/services/privacy-information/.

Why did the County not disclose information about the breach in the April 22, 2022 press release?

Around April 1^st, 2022, the County of Elgin was the target of a cyber incident and access to its network was gained through sophisticated means by an unauthorized third party. In the following weeks, we were informed of phishing emails circulating in the community, which appeared to be coming from the County of Elgin or the Municipality of Central Elgin.

Upon learning of these phishing emails, we issued a press release to inform our staff and the community of this situation and recommended that caution be exercised when opening emails and associated attachments from any source.

This is a complex situation and on April 22^nd, 2022, we were working internally and with our team of external experts to determine the exact scope and nature of the incident. While that determination was not clear enough to share publicly at that time, it was important for the County of Elgin to communicate with its population regarding the risks associated with the phishing emails.

What are you doing and what have you done in response to this incident?

On discovering the situation, we immediately activated our IT security protocols to contain the threat, shut down access to our systems, reported the incident to relevant authorities including Ontario Provincial Police, and retain cybersecurity forensic experts to conduct a comprehensive investigation and to strengthen our systems.

We immediately acted to protect our infrastructure and are in the process of resuming normal operations.

Going forward, the County of Elgin will take several additional security measures to strengthen its systems, and our teams are working hard to resolve this situation as efficiently and responsibly as possible.

What actions are you taking to better secure the County of Elgin's networks in response to this event?

When the County discovered the issue, it took the network offline and remediated the network. The County has enhanced its security measures in a number of ways.

Has the event been resolved? Or, Is the threat over?

We are confident that the incident has now been successfully contained and remediation processes are well underway.

We are working with a team of experts as diligently and as quickly as possible to restore full functionality to the entirety of our system and resume normal operations.

Has the County of Elgin notified the appropriate authorities?

Yes. The County has reported the matter to the Ontario Provincial Police, the Province’s Cyber Security Team and to the Information and Privacy Commissioner of Ontario. We will actively cooperate with authorities as they conduct their investigation and will continue to keep them apprised appropriately.

Questions about Protecting Yourself

Do I need to do anything?

The County advises that its staff and community members remain vigilant against threats of identity theft or fraud. Additionally, it’s always a good idea to be on alert for “phishing” emails or phone calls by someone who acts like they know you or are part of a community that you may do business with, and who requests sensitive information, such as passwords, social insurance numbers, or financial account information.

The County is offering free credit monitoring and identity theft protection services.

Individuals who qualify for free credit monitoring and identity theft protection services were notified on May 13^th, 2022. An activation code was included in the letter.

How can I protect myself against phishing email campaigns?

In light of these phishing campaigns, it is recommended that caution be exercised when opening emails and associated attachments from any source. Available options include the following:

Carefully check to make sure that the email address and sender’s name match;
Refrain from clicking on suspicious links;
Refrain from opening unexpected attachments; and
Do not provide personal information in emails.

How can I better protect myself?

We recommend that you remain vigilant and that you consider the following best practices related to the protection of personal information at all times for individuals:

Monitor your financial accounts. If you see anything you do not understand or activity that looks suspicious, you should call your financial institution;
Update your online passwords and use complex and unique passwords;
Be cautious of any unsolicited communications (phone call, email, etc.) that ask for your personal information or refer you to a webpage asking for personal information;
Avoid clicking on links or downloading attachments from suspicious emails; and
Report any incident to the appropriate authorities if you notice any suspicious activity.

Should I change my password?

There is no evidence to suggest log-in credentials were compromised. In any event, it is best practice to regularly change your passwords. All County of Elgin users have already completed a password change, just to be safe. We encourage all individuals impacted by this incident to change their passwords as well. We also recommend that you rotate and change your passwords regularly and use multifactor authentication for your online accounts when offered.

We ask that everyone remain vigilant against threats of identity theft or fraud.

It is always a good idea to be on alert for “phishing” emails or phone calls by someone who acts like they know you or are part of a company that you may do business with, and requests sensitive information, such as passwords, social insurance numbers, or financial account information.

Questions about Notifications

How can I find out if my information was exposed?

The County has identified the individuals whose information was impacted. These investigations take time, and the County is working deliberately to provide accurate information as quickly as it can.

As of May 13^th, 2022, the County sent the appropriate individual notifications via Canada Post. Impacted individuals are being notified by letters sent via Canada Post where current physical addresses are available. If the County does not have a physical address, but does have an email address, it has sent the notification via email. The County worked deliberately, while taking care to provide accurate information, as quickly as it could. For those whose personal information was highly sensitive, these notifications also included credit monitoring and identity theft protection.

If you did not receive notification but are still concerned, please email privacy@elgin.ca or visit our website https://www.elgincounty.ca/services/privacy-information/.

Why was I notified?

The security of our data is of the utmost importance to us, and we wanted to be transparent about this incident. Out of an abundance of caution, we are notifying our employees, residents, internal and external stakeholders and community members.

If the investigation concludes that additional sensitive personal information was accessed, we will be taking additional steps to inform and protect those affected, including offering free credit monitoring services to those whose sensitive personal information has been breached.

What should I do if I believe I am the victim of identity fraud or theft or if I suspect fraudulent activity?

If you believe you have been the victim of identity theft or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. If the forensic audit finds that sensitive personal information may have been accessed in some cases, we will notify you and take steps to protect those affected, including offering free credit monitoring services.

It is always a good idea to be on alert for “phishing” emails or phone calls by someone who acts like they know you or a company that you may do business with, and who requests sensitive information, such as passwords, social insurance numbers, or financial account information.

How will I know if my information was used by someone else?

If the forensic audit finds that sensitive personal information has been accessed in some cases, we will notify those affected and take steps to protect them, including offering free credit monitoring services.

Should I notify the County of Elgin about any of my data that was affected?

It is not necessary to notify the County about affected data from the County of Elgin data breach.

The County is working to identify the individuals whose information was impacted. These investigations take time, and the County is working deliberately, while taking care to provide accurate information as quickly as it can.

I didn’t receive a letter in the mail (dated May 13, 2022) from the County of Elgin. Does that mean my data wasn’t impacted?

Notices were sent to those individuals whose highly sensitive personal information was impacted in the event by Registered Mail on May 13, 2022 where current contact information was available. In certain other cases where appropriate, other individual were sent a notice by regular mail (Canada post) on May 13, 2022 where current contact information was available.

If didn’t receive a letter but are concerned, please visit our website https://www.elgincounty.ca/services/privacy-information/or email privacy@elgin.ca. We will get in touch with you and let you know within 3-5 business days.

When were the individual notifications sent?

The notifications were sent via Registered Mail (highly sensitive personal information) on May 13^th and to other individuals by regular mail (Canada Post) on May 13^th, 2022.

Have all affected people been notified?

We are in the process of completing a comprehensive external forensics audit to determine the exact scope of this breach. If this process concludes that additional sensitive personal information was accessed, we will be taking additional steps to inform and protect those affected including offering free credit monitoring services.

Should I expect an email or mail via Canada Post?

Impacted individuals are being notified by either Registered Mail or regular mail (Canada Post) in cases where we have a current physical address. The County is sending the notification via email if we do not have a physical address but do have an email address.

What data of mine was impacted in the County of Elgin data breach?

The impacted personal information is identified in your notification letter.

I didn’t receive information about credit monitoring and identity theft protection services in my letter, what should I do?

The County is providing credit monitoring to individuals requiring identity theft protection services based on the impacted information to the following groups:

Staff (current / former) whose sensitive personal information was breached; and
Residents (current / former) whose sensitive personal information was breached.

Note: sensitive personal information includes disclosure of financial, banking or credit card information, social insurance numbers, and health card numbers.

Questions about Credit Monitoring

Is the County providing any credit monitoring to everyone?

The County is offering free credit monitoring and identity theft protection services to the following groups:

Staff (current / former) whose sensitive personal information was breached; and
Residents (current / former) whose sensitive personal information was breached.

Note: sensitive personal information includes disclosure of financial, banking or credit card information, social insurance numbers, and health card numbers.

These individuals were notified on May 13^th, 2022 by letter sent via Canada Post where current physical addresses are available. If the County does not have a physical address, but does have an email address, it has sent the notification via email. An activation code was included in the letter. The County worked deliberately, while taking care to provide accurate information, as quickly as it could.

Am I eligible for free credit monitoring?

Individuals who are eligible for free credit monitoring and identity theft protection received notification to this effect on May 13^th, 2022.

If I already have credit monitoring and theft protection services in place, should I also sign up for the credit surveillance service offered by the County of Elgin?

We strongly encourage anyone who will receive a notification letter to sign up for this free service to help verify any unusual activity on their credit report. This service helps identify and verify any unusual activity on your credit report.

How do I sign up for the credit monitoring service?

If you received a letter that includes information about the credit monitoring service, it includes information about how to sign up and unique log-in information.

Can the County of Elgin sign me up for the credit service?

Credit monitoring companies must obtain your consent and information to verify and confirm your identity when you register.

Privacy and credit rules do not allow third parties to register you with a credit monitoring service.

If you run into any challenges, please reach out to privacy@elgin.ca for assistance or contact the organization listed in your letter.

I have not received a notice, but I believe I am eligible for credit monitoring.

Credit monitoring and identity theft protection will be provided, free of charge, to those individuals whose sensitive personal information was affected. Sensitive personal information, as advised by our external legal counsel, includes the following:

disclosure of financial, banking or credit card information;
disclosure of social insurance number(s); and
disclosure of health card numbers.

Individuals who are eligible for free credit monitoring were sent additional information about this service on May 13^th, 2022.

Questions about what to do next

My Social Insurance Number was compromised; what should I do next?

All individuals should remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any unauthorized transactions or activity.
If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police. You may also contact the credit reporting agencies to put a “fraud alert” or “security freeze” on your credit reports in the case of identity fraud or theft.

My phone number was compromised; what should I do next?

Watch for suspicious calls and contact your phone provider if these noticeably increase.
Add your name to the national Do Not Call list (https://lnnte-dncl.gc.ca/en)
Review your credit reports.
As a precaution, keep an eye on your bank and credit card accounts for unfamiliar transactions.

My health card information was compromised; what should I do next?

Contact the ServiceOntario INFOline at 1-866-532-3161 or visit https://www.ontario.ca/page/replace-cancel-or-change-information-your-health-card
Request that a new version code be issued.

My debit or credit card information was compromised; what should I do next?

Contact your banking institution for advice.
Change your online banking passwords.
Review your account transaction history closely for unfamiliar charges.
If you detect unfamiliar charges or other suspicious activity, contact your financial institution to cancel your card and/or report it as stolen.
Review your credit reports.
As a precaution, keep an eye on other bank and credit card accounts for unfamiliar transactions.

Other Support and Resources

What resources does the County of Elgin have if I'm concerned about my physical, mental or emotional well-being?

The County’s Employee and Family Assistance Program Homewood Health offers our staff confidential support. With many services available to support our team’s physical, mental and emotional well-being, Homewood Health is available 24 hours a day, 7 days a week. Visit homeweb.ca, call 1-800-663-1142 or reach out to our HR team (hr@elgin.ca) for more information.

What should I do if I have more questions?

The County is happy to answer any questions you might have about the event or the County’s response. Please reach out to the County’s Privacy Officer, Brian Masschaele, at privacy@elgin.ca or access the Information Request Form below.

Media Contact

Media Questions / Key Contact

Media inquiries are to be directed to the County’s Chief Administrative Officer, Julie Gonyou (cao@elgin.ca).

Information Request Form

We will review all information requests and respond within 3-5 business days.