The Resort Municipality of Whistler (RMOW) has discontinued its lawsuit against Pique Newsmagazine in relation to its coverage of a recent ransomware attack that took most of the municipality's services offline until recently.
After the cyber attack came to light on April 28, the RMOW sued Pique on May 20, and applied for an injunction against the newsmagazine later the same day, seeking to restrict what details Pique could publish about the ransomware attack. The RMOW argued that it was seeking to protect the privacy of its staff. Pique opposed the application, arguing that there was no basis for any such order.
"We welcome the RMOW’s notice of discontinuance for its legal action launched against Pique,” said publisher Sarah Strother.
With its notice of discontinuance, received by Pique today, July 26, the RMOW is required to pay 100 per cent of Pique’s taxable costs for the lawsuit, in addition to its own legal costs.
A quickly compiled defence
Affidavits filed with the court show that RMOW Manager of Communications Gillian Robinson asked Pique on the morning of May 20 to alter a story by changing the description of information leaked to the dark web. When Pique declined, the RMOW launched the lawsuit and sought the injunction.
Pique’s position on the application was summarized in the Application Response it filed with the BC Supreme Court before the May 21 hearing. Pique noted its reporting on the late-April ransomware attack has been factual and balanced, and that no personal information was reported.
Pique argued its coverage of the ransomware attack was in the public interest, and that the municipality should not be able to dictate what is or is not published in a story that concerns the RMOW.
“While [the RMOW] might not like what has been reported, the citizens of Whistler are entitled to know about the event, about the consequences of it, and about what is potentially at stake,” stated Pique’s response, in part.
“The fact of the matter is the municipality is the story here. It’s a public interest story,” said Pique’s lawyer Scott Dawson in court on May 21.
“I cannot see how the municipality gets to dictate what the newspaper does or doesn’t do in its coverage of a story that concerns the municipality.”
RMOW lawyer Paul Hildebrand argued certain information published by Pique might “whet [the] appetite” of would-be criminals, who might then seek out the information on the dark web.
“We just don’t want information on the Internet that might provide an incentive and encouragement to others to go try and find this information…” he said in court.
Supreme Court Justice Sandra Wilkinson declined the RMOW’s request for a temporary order restricting the newsmagazine’s coverage. Referring to the injunctive relief the RMOW requested, Wilkinson said: “I have serious concerns about the precedent that this sets.”
The RMOW issued just three press releases about what it called the “cybersecurity incident” before launching the lawsuit, and in its sworn affidavits, claimed not to know what information was being leaked on the dark web about its employees. Following the launch of the lawsuit, the RMOW has issued a further three public updates.
Pique editor Clare Ogilvie described the significance of the ransomware coverage in an affidavit filed with the court. “While the three releases outline the steps the municipality is taking to deal with the attack, and offer assurances to the community, the releases do not clearly explain the level of threat to the citizens of Whistler. As editor, I consider it to be in the public interest to cover the story.”
On April 28, the day the attack became public, a message from the hackers was posted on the RMOW website and then, as screenshots, to two popular Facebook groups. Both Facebook posts were still available to view as of July 26.
While the ransomware attack was reported by other media outlets, the RMOW only took legal action against Pique.
“The article deals with matters of public interest. For example, the press releases issued by the municipality did not contain all of the information necessary for the public in Whistler to determine, among other things, what risks might arise to their personal and private information from the attack. It was in the public interest for the Pique to provide its readers with a broader understanding of the story,” stated Pique in the defence it filed with the court on June 10.
A second front
After its application for a temporary injunction was denied, the RMOW decided to try another avenue to control what Pique printed.
On June 7, RMOW staff contacted Pique expressing an intention to issue a demand under the Freedom of Information and Protection of Privacy Act, which would seek to have the newsmagazine reveal what information it had from the ransomware attack and destroy or return records in Pique’s possession.
Pique informed the RMOW that it did not have any private RMOW employee information in its possession, and RMOW staff indicated that they accepted that statement.
However, on June 11, the RMOW issued the demand. Pique objected, saying that such a demand required reasonable grounds to believe that the newsmagazine was in unauthorized possession of certain personal information belonging to the RMOW.
In response to the RMOW’s demand, Pique lawyer Catherine George said: “ … Pique has already informed the Resort Municipality of Whistler that Pique does not have in its possession any private RMOW employee information. Ms. Gillian Robinson of the RMOW then specifically advised Pique that she accepts Pique’s advice.”
In a press release on July 8, the RMOW said it was satisfied that legal action is no longer required.
“Council’s decision to commence legal action was for the sole purpose of protecting the private personal information of employees who had their information accessed as the result of a cybercriminal act,” said Mayor Jack Crompton in the release.
“The RMOW has a legal obligation to protect all private, personal information in its care. When the Pique published details of this information and declined our request to not include this information in their online version, we felt that legal action was necessary to protect employees from further harm and a further violation of their privacy.”
The RMOW also informed Pique on July 7 that it did not require any further response to the Freedom of Information demand.
At press time, the RMOW could not say how much the now-abandoned lawsuit cost taxpayers, noting that Pique would have to obtain such information under the Freedom of Information Act.
Meanwhile, the RMOW said it is still in “recovery mode” from the attack, and expects full recovery to take at least until the fall.
The RMOW said it has not found evidence that the private, personal information of the public was obtained by criminals in the attack.
An RCMP investigation is ongoing and the RMOW continues to work with the Office of the Information and Privacy Commissioner of B.C. on the incident.
If it is determined that people’s personal info was accessed, the RMOW will notify those individuals directly, it said.
Experts leading the RMOW’s investigation believe the criminals accessed the RMOW’s network through a zero-day vulnerability (an exploit previously unknown to the developer).
Pique reported the potential vulnerability on May 13, noting that it’s possible the criminals gained access through a zero-day exploit found in SonicWall VPN, a service used by the RMOW.
The RMOW would not confirm if the exploit was found in SonicWall, or if it installed a patch released in February that fixed the vulnerability.
The RMOW said it did not receive a ransom request from the criminals, nor did it make any payment or engage in dialogue with the criminals.
A report on the incident will be presented at a future Technology Advisory Committee meeting—which are typically closed to the public—once the investigation and recovery is complete. Pique’s request to the RMOW to confirm that the report will be made public remains unanswered.