Of all the publicly-disclosed data or privacy breaches in this country in 2015, one topped them all by a wide margin: Ashley Madison.
With over 30 million records exposed from the dating site, a $578 million class action suit filed against parent Avid Life Media, the CEO resigning after his emails were published, the attack is easily one of the largest reported in Canadian history.
But it’s easy for infosec pros to sit back and think, ‘Thank Gawd my company isn’t such a big fat target.’ Instead, they should remember all of the smaller breaches that happened this year as a lesson that corporations and government departments aren’t the only targets. Here’s just three of them:
— A successful phishing attack in September against the Association of Professional Engineers and Geoscientists of Alberta (APEGA) yielded members’ names, email addresses and association ID numbers. The vehicle was an email supposedly from CEO Mark Flint. The association has 75,000 members, but it didn’t say how many names were exposed;
–This month a Calgary wine store had to pay $500 in Bitcoin to meet a ransomware demand or lose access to its database. According to the CBC, after paying the company an unofficial receipt thanking it for the involuntary “purchase;”
–Worried about insider threats? Here’s one you weren’t thinking about: Senior bureaucrats at British Columbia’s District of Saanich approved the installation of monitoring software on certain computers — including the mayor’s. Somehow he didn’t get told. Among other things, staff were afraid he might discover IT security shortcomings.
These are some of incidents involving better-known organizations:
–A Rogers Communications staffer was the victim of a phishing attack that led to the loss of a “small number” of business agreements, which included business name, address, phone number and pricing details of the corporate customers, but not personal or financial information;
–In March Ontario’s Education ministry acknowledged that 5,000 unencrypted email addresses of people who had left contact information on a site looking a workshop were exposed;
–a Toronto luxury hotel managed by one of Donald Trump’s companies was one of seven in a chain hit by POS malware. An unknown number of customers have been warned that payment card account number, card expiration date and security code may have been copied as the data went into the payment card system in the hotels there and in two properties in New York City, and one each in Miami, Chicago, Las Vegas and Waikiki;
–Symantec said four unnamed Canadian firms were among 49 organizations in more than 20 countries hit by a group looking not for credit card information but corporate data and intellectual property. Victims included Twitter, Facebook, Apple, Microsoft and firms in the pharmaceutical, legal and oil and precious metals sectors;
–Pesky hactivists were at it again, temporarily overwhelming a number of federal Web sites with DDoS attacks. The group calling itself Anonymous took responsibility as a protest to the government’s anti-terrorism bill, C-51. It also hacked into the Police Association of Ontario and released member information;
—CBC reported that information about approximately 2,200 of General Motors Finance customers was “inappropriately accessed” by a former employee which may have been used to create phony identification. The scam was revealed when two women in a stolen care were found with numerous ID documents in the names of eight other people who had one thing in common: All had financed their cards through GM. Criminal charges have been laid;
–The Calgary Sun reported that records of nearly 30 University of Calgary employees were been fraudulently accessed leaving some staff without their latest pay cheques. http://www.calgarysun.com/2015/09/27/university-of-calgary-suffers-a-data-breach-into-employees-personal-records;
–The Calgary-based Cavirtex bitcoin exchange closed its doors in March after discovering an older version of its database, including two factor authentication information and hashed passwords, may have been compromised. No customer funds were lost, but the company felt the damage to its reputation would be severe;
–The Eastern Health authority of St. John’s, Nfld., admitted it had lost an unencrypted USB drive with information on 9,000 employees. About a third of the names had social insurance numbers. The institution had been scanning employee files to the thumb drive so hard copies could be shipped to a records storage company;
–Finally, in what could be a huge breach Vancouver-based PNI Digital Media (a division of Staples), which hosts online photo centers for a number of major retailers was hit by an attack that forced some companies close their photo Web sites. According to the Toronto Star, Walmart Canada has told customers who used its photo centre from June 2014 to July 2015 that their credit card data and other personal information had been compromised.
So far neither Staples nor PNI has made a statement. There is a brief mention in Staples’ latest quarterly report of $3 million in “PNI data security incident costs.”
As I said at the beginning, these are among the publicly-disclosed incidents. With only one province — Alberta — having mandatory breach disclosure legislation, it’s not easy to get a handle on what’s happening. One company keeps a breach level index that counts 54 Canadian incidents so far this year, but doesn’t source where the information comes from so it’s accuracy is unclear. It often lists the number of records breached as “unknown.”
This lack of public information about data breaches bothers a number of security experts, including Satyamoothy Kabilan, the Conference Board of Canada’s director of national security and strategic foresight.
“One of the biggest challenges is there are unreported events,” he said in an interview. “(If) we don’t know how many breaches there are in total, we will never really know all of the cyber issues that are faced by organizations because many will go unreported for a variety of reasons, some of which may be good ones. But that presents a problem in terms of assessing the risk fully, and in terms of what challenges we have to face.”
We will get some increased visibility when the Trudeau government proclaims data retention and breach notification obligations for organizations covered by the federal privacy act (PIPEDA), which was changed last year by the Conservative government. Organizations will have to report to victims and the federal Privacy Commissioner when personal information has been lost or stolen. The regulations will spell out what has to be reported as well as how much the privacy commissioner can reveal.
When those regulations will be proclaimed is a question. A spokesman for the department of Innovation, which has responsibility for the file, would only say in an email that “options regarding next steps, including consultations, are being developed.”
Meanwhile “from my perspective we are really working in the dark” when it comes to figuring out how bad the breach situation is here, says Benoit Dupont, network scientific director of SERENE-RISC, a Montreal-based cyber security research centre.
Unlike the U.S., where Congressional or state legislatures hold quick public hearings on highly-publicized breaches, almost nothing has been heard about the attack since Ashley Madison acknowledged the intrusion. A group calling itself the Impact Team justified the attack because the company charges $19 to fully remove members profile information. But also made a moral justification, complaining Avid Life Media sites encourage sexual cheating. Ultimately Impact Team released three dumps of data, some of which was encrypted. However, in September the password-cracking group CynoSure Prime said it had broken the protection on 11 million passwords.
Initially Avid Life Media CEO Noel Biderman hinted a contractor (someone who “had touched our technical services”) with access to its systems was responsible. In fact he claimed he knew exactly who it was. However, there’s been nothing since, although Toronto police are investigating and it can take time to assemble a case. Dupont described it as a “very surprising breach, because it doesn’t fit any of the patterns of other high-profile breaches in the sense that since August we’ve heard nothing about it.”
It also isn’t known how much damage the attack — which according to an analysis of the data by some suggests the majority of Ashley Madison subscribers were men — has done to the company. But some security experts say there are two lessons from this attack: First, a company that claimed it had tough security wasn’t looking closely enough at potential vulnerabilities, and second that Web sites with a sexual tinge will be targets.
Looking at the publicly-reported incidents “the majority of breaches happened not because the attackers were especially sophisticated or innovative,” Dupont said, “but more because systems are so poorly protected and many companies still make the same low-level mistakes people have been talking about for the past 10 years. Unfortunately, 2015 wasn’t much different from the previous years, despite efforts by the press and government agencies to raise awareness and raise capacities to protect against these types of incidents.
“It’s depressing actually.”
The year also saw several other notable reports:
–The Canadian Radio-television and Telecommunications Commission (CRTC) served it’s first-ever warrant under Canada’s anti-spam law (CASL) this month to take down a command-and-control server in Toronto as part of a co-ordinated international effort. The server distributed the Win32/Dorkbot malware. However, the majority of spam and malware still comes from outside the country;
–The RCMP released its Cybercrime Strategy, which sets out an operational framework and an action plan to help the national police service reduce the threat and impact of cybercrime here. Over the next five years it will create a new investigative team dedicated to combating high-priority cybercrime, establish a dedicated intelligence unit to identify new and emerging cybercrime threats and improve digital forensic evidence capabilities for cybercrime investigations.
Finally, a former hospital clerk who pleaded guilty to selling securities without a licence, was given a $36,000 fine, two years of probation and 300 hours of community service by an Ontario judge for selling over 12,000 confidential maternity patient records to registered education savings plan (RESP) firms. In a separate hospital data selling case a Toronto nurse and an RESP broker are facing criminal charges, including bribery.