Developer breaches Newmarket website for resident data, urges better cybersecurity
Developer breaches Newmarket website for resident data, urges better cybersecurity
Publish Date: 2026-05-19 14:03:00
Source Domain: www.newmarkettoday.ca
Using an unordered list, summarize the following article with between 4 and 8 key points. Town confirms 24 records were accessed, and that security issues have been addressed
Newmarket resident and software developer Daryl Burke said he was exploring the winter parking ban on the Town of Newmarket website when he noticed the security was amiss.Burke, who also does online security research, said he could tell the website was vulnerable. He found he was able to access the private information of residents — and knew more malicious hackers could have done the same.Burke said addressing the issue with the town has been frustrating, and he questioned how much they’re taking responsibility for the vulnerability.“Every community from the town (says) we follow industry standard,” he said. “They’re hiding behind those statements when in reality there are massive holes.”The breach occurred March 20. Burke said the town’s website — which has since been updated and restructured — had a vulnerability that was easy to expose in the scripting language, with the parking system using “sequential, predictable account numbers” and the back-end not checking whether the person asking for an account record was entitled to see it.Burke said the vulnerability likely existed for an extended time. He said this could be an issue, given threats like the Canadian Centre for Cyber Security bulletin warning about state-sponsored Chinese cyber actors targeting all levels of government for cyber espionage in a 2024 bulletin.“The Cyber Centre encourages provincial, territorial, Indigenous, and municipal governments, as well as Indigenous governance organizations, to bolster their awareness of and protection against sophisticated cyber threat activity,” the federal cybersecurity bulletin said.With the town not having log data for website access going back longer than 90 days, there is no way to be certain if someone else may have access to other residents’ information without informing the town, as he did, he said.Also at issue was that the back-end server systems were years out of date, Burke said, making them more vulnerable to attack without more recent updates.The deficiencies in the system “compose into a functional attack chain that any moderately capable adversary could have executed,” Burke said.The town said it immediately engaged with its third-party administrator to investigate and secure the system after the breach, resolving the misconfiguration.“The town also conducted a manual review and determined that a limited amount of non-sensitive personal information was accessed without authorization,” the municipality said. “Having recently confirmed the 24 records accessed, the town is in the process of notifying the individuals directly.”The town further said it has reported the matter to the Office of the Information and Privacy Commissioner of Ontario.The municipality said it is aware of Canadian Centre for Cyber Security advisories warning of vulnerabilities affecting certain websites. The town said it has identified vulnerabilities prior to the issuance of advisories and taken appropriate steps.
“Specifically, interim security measures were implemented to secure and monitor the system on an ongoing basis until it could be fully replaced as part of the Town’s planned website modernization initiative. The Town did not experience any security issues occurring during this period,” the municipality said.The town now has a new website in place, which it said is from a third-party provider specializing in cybersecurity.“The town continues to actively monitor its digital services and applies regular security updates and enhancements to safeguard its systems and protect the information under its control,” the municipality said.Burke said he has struggled getting satisfactory responses from the town from his perspective, with the town denying accountability and not responding to all his concerns regarding security processes being followed.He said he is complying with town’s instructions to provide the data taken and delete all copies, not intending to do anything with it, though he said that process has also been drawn out.He said the rise of artificial intelligence makes cybersecurity even more important for municipalities. AI tools have made it easier to attack systems, he said, for which municipalities have to be getting ready.“It makes the hackers 10 times more effective in breaking into these systems,” Burke said. “This storm is coming, and municipalities and companies need to be proactive. They need to educate themselves.”The town said cyber incidents are an ongoing reality for all organizations.“With this matter, the town responded quickly and thoroughly, and as part of our cybersecurity program, we engage third‑party experts to ensure we maintain industry best standards,” the municipality said. “We continue to strengthen our systems and monitoring capabilities as part of our ongoing commitment to protecting information.”
