The City of Ottawa experienced a data breach on its My ServiceOttawa online portal, exposing the email and physical addresses of approximately 2,454 users. The incident occurred on October 3 due to an isolated system error in the service request lookup tool, which allowed an unauthorized user to exploit a bot to access service requests linked to other accounts. No financial, password, or highly sensitive personal information was compromised. The city detected the breach promptly, blocked the unauthorized user, and conducted a thorough analysis to confirm the limited scope of exposure. Affected individuals were notified, and additional security measures were implemented to prevent recurrence. The city emphasized that the incident was contained to the lookup tool and that My ServiceOttawa itself remained secure.
Source: https://ca.news.yahoo.com/data-breach-serviceottawa-impacts-2-215809374.html
TPRM report: https://www.rankiteo.com/company/city-of-ottawa
"id": "cit2862628110525",
"linkid": "city-of-ottawa",
"type": "Breach",
"date": "10/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '2,454',
'industry': 'Public Administration',
'location': 'Ottawa, Ontario, Canada',
'name': 'City of Ottawa',
'type': 'Government (Municipal)'}],
'attack_vector': 'System Error / Bot Exploitation',
'customer_advisories': 'Public statement released emphasizing the limited '
'scope of the breach and reassuring users of the '
"portal's overall security.",
'data_breach': {'number_of_records_exposed': '2,454',
'personally_identifiable_information': ['Email addresses',
'Physical addresses'],
'sensitivity_of_data': 'Low (no financial or highly sensitive '
'personal information)',
'type_of_data_compromised': ['Email addresses',
'Physical addresses']},
'date_detected': '2023-10-03',
'date_publicly_disclosed': '2023-10-03',
'description': 'The City of Ottawa confirmed a data breach on its online '
'service portal, My ServiceOttawa, involving the email and '
'physical addresses of approximately 2,454 users. The breach '
'occurred due to an isolated system error in the service '
'request lookup tool, allowing a user with access to a '
'specific service request number to use a bot to access '
'service requests linked to other accounts. No financial, '
'password, or other sensitive personal information was '
'accessed. The city blocked the unauthorized user upon '
'detection and conducted an analysis to confirm the limited '
'exposure and implement additional security measures.',
'impact': {'brand_reputation_impact': 'Minimal (city emphasized limited scope '
'and proactive response)',
'data_compromised': ['Email addresses', 'Physical addresses'],
'identity_theft_risk': 'Low (no sensitive personal or financial '
'data exposed)',
'operational_impact': 'Limited; isolated to service request lookup '
'tool',
'payment_information_risk': 'None',
'systems_affected': ['My ServiceOttawa portal (service request '
'lookup tool)']},
'initial_access_broker': {'entry_point': 'Service request lookup tool '
'vulnerability'},
'investigation_status': 'Completed (analysis conducted in October 2023)',
'lessons_learned': 'Importance of securing service lookup tools against '
'automated exploitation and implementing robust access '
'controls to prevent unauthorized data exposure through '
'system flaws.',
'post_incident_analysis': {'corrective_actions': ['Blocked the unauthorized '
'user to prevent further '
'access.',
'Improved processes and '
'implemented additional '
'security measures to '
'minimize recurrence.'],
'root_causes': 'Isolated system error in the '
'service request lookup tool '
'allowing unauthorized access via '
'bot automation.'},
'recommendations': ['Enhance input validation and rate-limiting in service '
'request tools to prevent bot-driven attacks.',
'Conduct regular security audits of public-facing portals '
'to identify and mitigate vulnerabilities.',
'Implement multi-factor authentication (MFA) for '
'sensitive service lookup functionalities.',
'Improve monitoring for anomalous access patterns in '
'user-facing systems.'],
'references': [{'source': 'City of Ottawa Public Statement (via Mishele '
'Joanis, Director of ServiceOttawa)'}],
'response': {'communication_strategy': ['Public statement',
'Notifications to affected '
'individuals'],
'containment_measures': ['Blocked unauthorized user access'],
'incident_response_plan_activated': True,
'remediation_measures': ['Process improvements',
'Additional security measures to '
'prevent recurrence']},
'stakeholder_advisories': 'Affected individuals were notified directly by the '
'City of Ottawa.',
'threat_actor': 'Unknown (user with access to a service request number)',
'title': 'City of Ottawa My ServiceOttawa Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Service request lookup tool flaw allowing '
'unauthorized access via bot'}