Sensitive personal data among thousands of files exposed in Elgin cybersecurity incident: Gonyou – London
A cybersecurity incident that shut down Elgin County’s website and email services offline in April caused thousands of county files, some containing highly sensitive personal information, to be posted on the web. dark web, confirmed on Monday the administrative director of Elgin.
County officials in south London, Ontario, have been keeping a close eye on the incident in recent weeks, but now say about 26,000 files and information from some 300 people were compromised after an “unauthorized third party “have access to your network.
Highly sensitive data from 33 people, including social security numbers, health card numbers and financial information, was also among the published data, Elgin CAO Julie Gonyou said in an interview with Global News.
“We are providing 12 months of credit check and identity theft protection to those 33 people whose sensitive information was compromised,” Gonyou said Monday.
For the more than 260 affected, compromised information included data that was not necessarily of high value to cybercriminals, but that could pose a greater risk to reputation, such as performance appraisals and termination letters, he said.
“Those affected were current and former Elgin County staff, as well as current and former residents of our long-term care homes. In the long-term care homes, five people were affected,” Gonyou said. . The county operates three long-term care centers, including Bobier Villa, Elgin Mayor and Terrace Lodge.
“We took immediate action to notify these people … All notifications came out on Friday.”
Algin County Data Released Online by Ransomware Group – Cyber Threat Expert
County officials confirmed for the first time that there had been a “cybersecurity incident” in a note that was distributed to staff on March 31 and obtained by the London Free Press.
In the note, Gonyou wrote that a large amount of spam containing attachments or malicious links was being sent to staff members and that an external consultant had been hired to investigate the incident and monitor data breaches.
On Monday, Gonyou said that after learning of unauthorized access to the network, the network was shut down immediately on April 1 to mitigate further damage, a closure that would last until April 27, affecting the county’s website and email services.
On May 3, Elgin officials were alerted by their cybersecurity consultant that the information had been posted on the dark web, he said.
“There were 26,000 files, some of which were not active. It was actually a published directory of files. We manually reviewed and evaluated each of the 26,000 files to review them according to a set of criteria, “Gonyou said.
“I would say this was a very, very small percentage of the total volume of files we host in the county. And it was kind of sampling on several different servers and different files.”
There was no “rhyme or reason” as to the service areas affected by the breach, Gonyou says, noting that the county offers about 25 different services. “It’s hard to tell if certain areas were affected more than others.”
Global News first reported in late April that a cybersecurity expert noted that data claiming to belong to the county had been posted on the dark web portal of the famous Russian ransomware group Conti.
The allegedly uploaded data included at least a 40 megabyte ZIP file labeled “elgin_AccountsPayable”. Global News was unable to independently verify the authenticity of Conti’s list or allegedly published data, as it appeared to have been removed the next day.
The cause of the cybersecurity incident is still under investigation, but Gonyou says the incident was not, according to them, a ransomware attack.
“We shut down our network, which I think is very different from a ransomware attack, where I believe that in these circumstances cybercriminals or threat actors shut down your system or hold your information for rescue,” he said. to say. The county did not pay a ransom and its systems were put back online on April 27, he said.
The Buffalo massacre was an act of domestic terrorism, says the lawyer for the victim’s family
Buffalo massacre: The gunman who killed 10 people was on the radar of the authorities
Canada wants G7 nations to have fast-paced cybersecurity team after Ukraine attack
An expert on cyber threats, however, says it all depends on your definition of ransomware.
“Ransomware has evolved over the past two years,” said Brett Callow, a Vancouver-based threat analyst at cybersecurity firm Emsisoft.
“In the past, they used to simply shut down their target networks. Sometimes they still do, but they also steal a copy of the data and use it as additional leverage to extort payment. Sometimes they completely skip the encryption process. and they just steal the data. “
When asked if Conti was believed to have been involved in the incident, or if the county or its cybersecurity consultant had contacted the group, Gonyou declined to comment, citing an ongoing investigation. the Ontario provincial police with which the county is cooperating.
Gonyou said on Monday that he did not know if any of the compromised information had been disconnected.
“I think once this is published … it presents a risk regardless,” he said.
Since publishing Conti’s initial story in late April, Global News has learned that Elgin’s alleged data has also been posted on the dark web portal of another ransomware group. Global News does not identify the group, as the data was still live on Monday afternoon.
This data dump, which measures about 50 gigabytes, also contains an “elgin_AccountsPayable” folder, along with directories labeled “Engineering”, “elgin_data” and “elgin_hr”.
“Thank you for this information. I will follow up, but I have no further comment,” Gonyou said when he was told about the other data dump. Gonyou also declined to say whether the county had any contact with any ransomware groups, citing the OPP investigation.
How to detect and avoid the usual cyber scams
When asked if it was unusual to see data posted on the portals of two different ransomware groups, Callow explained that most ransomware groups work based on ransomware as a service.
“You have the computer that creates the ransomware and, in fact, they rent it to other people who use it in their attacks,” and they all share the revenue among themselves, “he said.
“One possibility here is that an affiliate carried out the attack using Conti’s ransomware, which Conti gave up, and so the affiliates took him to another ransomware group to try to extort money.”
According to the Canadian Center for Cybersecurity, Conti is considered “one of the most sophisticated ransomware groups in operation” and is often targeted at hospitals, governments, medical networks and other critical services.
Speaking to Global News last month, Callow said Elgin was unlikely to be attacked for any particular reason and that the overwhelming majority of attacks are carried out at random through malicious links in fishing emails or unpatched vulnerabilities in Internet-oriented networks.
Tips to Protect Yourself from Ransomware Attacks
Following the cybersecurity incident, Gonyou said the county had implemented additional safeguards and protections for its computer network.
“We are conducting regular inspections of health systems and improving the training of our staff throughout the corporation. In addition, our work with our external cybersecurity team is ongoing, so we will continue to investigate the matter,” he said.
“We also look forward to receiving recommendations from our consultants.”
With the increasing prevalence of cyberattacks between large and small businesses, Gonyou says other organizations should learn from Elgin’s case and be hyper-vigilant about cyber threats.
“Elgin County had solid systems in place, so threat actors or perpetrators are using very sophisticated means to infiltrate IT systems and networks,” he said.
According to the Canadian Center for Cybersecurity (CCCS), ransomware is the most common cyber threat facing Canadians.
“Ransomware is not a new problem. Observed as early as 1989, ransomware has become one of the most popular types of cybercrime in the last 15 years,” says a 2021 CCCS cyber threat bulletin.
The newsletter notes that ransomware operations as a service have helped increase the impact and scale of ransomware attacks in recent years. According to the agency, global ransomware attacks increased by 151 percent during the first half of 2021 compared to the same time in 2020.
“The Cyber Center is aware of 235 ransomware incidents against Canadian victims from January 1 to November 16, 2021. More than half of those victims were critical infrastructure providers,” the report said. he adds that most attacks go unreported and that multiple victims can be affected. times.
“Despite a temporary lull after international action, we assess that ransomware will continue to pose a threat to the national security and economic prosperity of Canada and its allies in 2022, as it remains a profitable activity for cybercriminals.”
© 2022 Global News, a division of Corus Entertainment Inc.