The RM of Gimli says an investigation into the cyberattack that disrupted its IT systems in April found no evidence residents’ personal or financial data was impacted or misused.
The RM posted a notice on April 28 about the incident, saying its IT systems had been impacted and that it had engaged an experienced cybersecurity firm to investigate.
About a month later, the RM said its systems had been restored.
In a June 18 post on its website, the RM’s chief administrative officer, Diana Chapman, said the cybersecurity investigation has concluded.
“Based on the work by our experts, we have no evidence that any personal or financial data of residents was impacted or misused,” wrote Chapman. “Upon discovering this cyber incident, the RM took every step to effectively and efficiently ensure the safety of our systems. The RM immediately retained experts to contain the incident and conduct a thorough investigation. Our staff and cyber expert team worked diligently to bring our systems back online safely while maintaining security of residents’ data throughout the investigation.”
A ransomware group known as Payload claimed responsibility for the attack and said it had encrypted the RM’s data. It gave the RM 240 hours (10 days) to negotiate payment.
To date, the RM has not confirmed whether the group known as Payload was responsible for the attack or whether a ransom demand was made.
The Express reached out to the RM for more information about Chapman’s June 18 statement.
When asked specifically whether residents’ data had been accessed during the cyberattack, RM spokesperson Christine Payne said there is no evidence it had and that the RM’s conclusion is based on the findings of the external cybersecurity experts it retained.
“Based on the work of external cybersecurity experts, we have no evidence that any personal or financial data of residents was accessed, impacted or misused,” said Payne. “As soon as the incident was identified, the RM retained external cybersecurity experts to contain the incident and conduct a thorough investigation. Their findings, based on detailed forensic analysis of our systems, determined that there is no evidence of personal or financial data being impacted or misused.”
She declined to say whether the RM’s cybersecurity experts searched the dark web for evidence that RM data had been posted there.
“At the advice of legal counsel, we are not providing specific details of the investigative methods used. However, we can reiterate that, based on the experts’ comprehensive investigation, there is no evidence that residents’ personal or financial data was impacted or misused,” said Payne.
She did not say whether RM staff, contractor or council members’ data had been accessed during the cyberattack, saying only there was no evidence personal or financial data had been “impacted or misused.”
“Based on the investigation, there is no evidence that personal or financial data was impacted or misused, and as such, credit monitoring is not applicable at this time,” she said.
The RM paid Vancouver-based CyberClan $31,122, according to its general payables document posted with council’s June 24 agenda.
When asked whether CyberClan had been hired to investigate the cyberattack, Payne said the “administration engaged CyberClan to provide IT services.”
When asked whether the payment represented one invoice or the total amount paid to CyberClan, Payne declined to comment.
When asked what a payment of $8,245.86 to Corey Thordarson’s Wired was for, Payne said it was for “IT/technical services.”
The Canadian Centre for Cyber Security says ransomware is “big business,” and cybercriminals have demonstrated an ability to adapt to evolving security measures. The agency says cybercriminals are likely to continue using advances in artificial intelligence to breach IT systems, including automating ransom negotiations with victims, while relying on cryptocurrency to process payments and launder money.
In its Ransomware Threat Outlook 2025-2027, the Canadian Centre for Cyber Security says that following a ransomware attack, threat actors often sell compromised consumer data on the dark web and that “once your data has been compromised, it will very likely remain in this ecosystem.”
The agency says organizations of every size and sector are at risk of ransomware attacks. Smaller organizations that rely on third-party managed service providers for IT support can be particularly attractive targets because of those providers’ access to multiple client networks and sensitive information.
The Five Eyes cybersecurity agencies — representing Canada, Australia, New Zealand, the United Kingdom and the United States — issued a call to action last week warning that artificial intelligence is increasing cybersecurity risks and should be treated as a business issue, not solely an IT issue.
The agencies warn that AI allows hackers with limited technical expertise to launch increasingly sophisticated cyberattacks while significantly reducing the time required to exploit newly discovered vulnerabilities.
“Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure,” the Five Eyes statement says.
Among the agencies’ recommendations are limiting access to critical systems and data, reducing unnecessary internet connectivity, promptly applying security updates and ensuring only authorized personnel have access to essential IT infrastructure.
