Cybersecurity in Canada 2019: It was an ‘awesome’ year for attackers

By IT World Canada

No country is immune from cyber attacks. But 2019 saw Canadian organizations victimized like never before.

Arguably the worst breach — not only in 2019 one of the worst in Canadian history — was the theft of personal information on 15 million people in Ontario and B.C. held by medical test laboratory LifeLabs. This data included patient names, addresses, email addresses, login passwords, dates of birth, health card numbers and in some cases lab test results.

The second worse breach was the theft by a suspected employee of information on all 4.2 personal banking customers in Quebec and Ontario of the Dejardins credit union.

Copied were names, addresses, birthdates, social insurance numbers, email addresses and information about transaction habits. Not stolen were passwords, identification questions or secret codes.

While more people were victims of the 2015 hack of Toronto-based dating site Ashley Madison, it isn’t a financial or health institution and subscribers didn’t have to give real names.

Getting a handle on how many data breaches there are in this country is getting better now that most organizations have to report them to the Office of the Federal Privacy Commissioner (OPC).

In November the OPC estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory reporting — and that didn’t include the LifeLabs breach.

Small wonder Ed Dubrovsky, managing director for incident response at Toronto-based Cytelligence said “unfortunately it’s been an amazing year” — for attackers.

Among the publicly-reported incidents

• In August two people were arrested after a data breach at Quebec’s tax collection agency affecting 23,000 past and present employees at Revenu Québec. Most of the data were names and social insurance numbers. The province said an internal investigation showed the data wasn’t used for malicious purposes or sold to third parties;
• Public and private sector organizations were victims of ransomware. The city of Stratford, Ont., acknowledged paying the equivalent of $75,000 in bitcoin following an attack in April. Toronto’s Michael Garron Hospital was another victim, as were the government of Nunavut and the city of Woodstock, Ont.
• Proof of the alarming new trend of ransomware being combined with data-stealing capability was evident when a Manitoba-based insurance company acknowledgedit was hit by ransomware by a gang that threatened to release customer information unless it was paid;
• Organizations were also stung business email compromise scams, where an employee is convinced to change the bank account to where the money for invoices is usually sent. In August the city of Saskatoon admitted it was victimized for just over $1 million. In May the city of Burlington, Ont. acknowledged it was hit the same way; In November, Waterloo Brewing, an Ontario maker of beers, said a staffer wired $2.1 million to a supposed creditor’s account. Organizations must have business controls over verifying requested changes in payment procedure to prevent this from happening;
• The University of Ottawa’s online student news site was temporarily stripped of copy after the site was hacked;

• Attacks through suppliers were responsible for many incidents. Freedom Mobile blamed a third party for hosting an unprotected database with personal and credit card information on thousands of the wireless carrier’s subscribers on the Internet. TransUnion Canada said attackers compromised a Winnipeg leasing company to get access to personal information on some 37,000 Canadians held by the credit reporting agency; Verizon’s annual Data Breach Investigations Reporton thousands of incidents around the world, noted that 21 per cent of data breaches are caused by errors, either by employees or third parties;
• Questions were raised about the dealings of some organizations with suppliers. In December the city of Hamilton, Ont., notified residents of a potential disclosure of their personal information through Alectra Utilities, which provides water billing service for the municipality. According to a news report an India-based subcontractor to Alectra had access to customer data it held, and there may have been other subcontractors whose staff could also see personal data. The incident raised questions of consent;
• Nova Scotia’s privacy commissioner blamed the government for not doing enough security testing before making a new provincial Freedom of Information website live, allowing two people to hack the site in 2018 and make off with 7,000 documents including personal information of 740 people;
• Think small businesses won’t be attacked? Consider our report on a Halifax vegan restaurant whose Facebook page was defaced.

Among other newsworthy events in 2019

• The U.S. increased pressure on Canada not to allow Canadian wireless carriers to buy wireless network equipment from Chinese manufacturer Huawei for security reasons. A decision will likely be tied to the outcome of a Vancouver extradition hearing for Huawei’s CFO and the detention by China of two Canadians;
• A Bank of Canada executive was among many experts urging organizations to collaborate more on cyber best practices and threat information. In a related move the Canadian Cyber Threat Exchange (CCTX) lowered fees for public sector agencies;
• To help improve the security maturity of small and medium-sized businesses the federal government launched a cyber certification program. The hope is it will also increase public confidence in Canadian firms selling products online.

Dubrovsky sees some complacency in the attitude of Canadians and organizations. “We’re just accepting this is a risk,” as a result of the almost daily stories of breaches. “Unfortunately I don’t think there’s enough being done, still” by IT departments. “We don’t understand the threat actors are also ramping up both the damage they’re causing and the monetary demands.”

READ FULL ARTICLE MORE HERE: 

Source: IT World Canada