TORONTO — Computers at a Canadian insurance company were disabled for more than one week due to a ransomware attack that resulted in a payout of nearly US$1 million.
The attack happened last October, but is only coming to light now as efforts to reclaim the ransom make their way through the British court system.
The U.K. court action is being led by a British insurance firm with which the Canadian company had a policy protecting it against suffering losses from cyberattacks.
Neither company is named publicly in the lawsuit the British company has filed against the unknown attackers. In a court decision made last month and published Jan. 17, Justice Simon Bryan ruled that hearings in the case would be held in private and that the involved insurance companies’ names would not be published, saying anything else would open the insurance companies up to retaliatory and copycat attacks while also potentially giving the hackers a chance to cover their tracks.
“Publicity would defeat the object of the hearing,” Bryan wrote.
COMPANY TURNED OVER US$950,000
According to Bryan’s written decision, the hacker or hackers somehow “managed to infiltrate and bypass the firewall of [the Canadian company].” From there, they encrypted files on the company’s servers and locked desktop computers. They also left a note.
“Hello [company name] your network was hacked and encrypted. No free decryption software is available on the web. Email us … to get the ransom amount. Keep our contact safe. Disclosure can lead to the impossibility of decryption. Please use your company name as the email subject,” the message read.
The Canadian company got in touch with its British insurer, which hired ransomware response specialists. The hacker told the specialists they were demanding US$1.2 million in Bitcoin, but eventually agreed to US$950,000 “as an exception.”
The specialists then transferred 109.25 Bitcoin – roughly equivalent to US$950,000 at the time – of the British company’s money to the specified account. Although they had been promised a quick response, nearly 16 hours elapsed before the hacker got in touch again, giving them a decryption program.
Even with the program, it took five days to run the program on each of the company’s 20 servers and five more to decrypt and unlock all 1,000 desktop computers.
Some of the Bitcoin was sold for other currency before specialists were able to locate it, but the bulk of the ransom – 96 Bitcoin – was traced to one specific account on one specific exchange.
The British company is suing the hacker as well as the owner of the account – it’s not certain if they’re the same person or not – as well as the Bitcoin exchange. The insurance firm is seeking a court order to force the exchange to reveal the identity of the account owner.
A RISING THREAT
The Canadian Anti-Fraud Centre (CAFC) described ransomware last September as “an increasingly common threat, targeting everyone from individuals and small businesses to large private enterprises and government organizations.”
Insurance companies are also known targets. One of the largest insurers in Oman was reportedly hit earlier this month. In Canada, Andrew Agencies Ltd. was targeted last fall but said it did not pay a ransom – implying that they are not the Canadian company at the centre of the British case.
The CAFC notes that there is no way to completely safeguard against these attacks, but says training employees to recognize cybersecurity threats, restricting access to computer administrative privileges and storing backup data offline can help protect an organization.
TORONTO, Jan. 20, 2020 /CNW/ – Brad Riddell has been appointed Vice President, CyberSecurITy at FlexITy, Canada’sleading Systems Integrator and Digital Transformation Solutions, by CEO Peter Stavropoulos.
As Vice President of CyberSecurITy Solutions, Brad Riddell is responsible for rapid expansion and growth while managing FlexITy’s emerging CyberSecurITy business. He brings more than 20 plus years of IT risk management, systems integration, and managed services, sales and delivery experience to the FlexITy organization.
“Brad is astute at understanding the cybersecurity challenges faced by Canadian companies and developing pragmatic solutions to effectively manage cybersecurity risk. He has a proven track record of building high performing teams that attract top cybersecurity talent that our clients require. As a longstanding trusted advisor to clients across many industries, Brad quickly earns their trust and develops long-lasting relationships,” said Peter Stavropoulos.
“FlexITy is a proven and trusted Systems Integrator focused on attracting and retaining top IT engineering talent and delivering robust, high performance and reliable solutions to their clients. We are applying this winning approach to cybersecurity to create Canada’s leading end-to-end cybersecurity services business. FlexITy will build tailored solutions targeted at solving the most daunting challenges such as ransomware, securing IoT devices, ensuring the safety of critical infrastructure, enabling secure electronic commerce, and ensuring the privacy of patient medical records,” said Brad Riddell.
Canadian companies now have a single trusted provider to design, deploy, secure and manage critical IT networks, systems and applications. By taking a truly integrated approach to network and system design, integration and security, FlexITy offers a unique capability unmatched in the Canadian market.
Along with the depth of FlexITy’s Infrastructure team of architects, pre-sales engineers, highly skilled and cross-certified integrators and project managers, all with the highest of government security clearances, we work with our best-of-breed strategic partners to develop and deliver broad and deep sets of Managed and Hybrid CyberSecurITy Solutions that make an immediate impact with clients across Canada.
The range of FlexITy clients serviced over the past two decades span across some of Canada’s leading financial, government, public sector, legal, media, telecommunications, insurance and health care institutions.
FlexITy is an award-winning integrator of smart technology, CyberSecurITy and service solutions, built on powerful and digitally advanced secure platforms, and delivered with decades of expertise, is headquartered in Richmond Hill, with offices in Toronto and Winnipeg.
FlexSecurITy is a next-generation cybersecurity offering enabling organizations to protect the way people work today from advanced threats and compliance risks. FlexSecurITy protects organizations from the advanced attacks targeting them and protects the critical information people create while arming organizations with the right intelligence and tools to respond quickly when things go wrong.
FlexHealth-Powered by FlexITy is a suite of patient-centric solutions that integrate interactive mobile applications, secure health IT and data, and optimize healthcare management. FlexHealth engages patients and families, empowers clinicians and delivers outcomes that matter.
FlexTEL, a leading and secure managed business provides Unified Collaboration Cloud Services for Enterprises seeking a holistic enterprise grade Collaboration Platform.
No country is immune from cyber attacks. But 2019 saw Canadian organizations victimized like never before.
Arguably the worst breach — not only in 2019 one of the worst in Canadian history — was the theft of personal information on 15 million people in Ontario and B.C. held by medical test laboratory LifeLabs. This data included patient names, addresses, email addresses, login passwords, dates of birth, health card numbers and in some cases lab test results.
The second worse breach was the theft by a suspected employee of information on all 4.2 personal banking customers in Quebec and Ontario of the Dejardins credit union.
Copied were names, addresses, birthdates, social insurance numbers, email addresses and information about transaction habits. Not stolen were passwords, identification questions or secret codes.
Getting a handle on how many data breaches there are in this country is getting better now that most organizations have to report them to the Office of the Federal Privacy Commissioner (OPC).
In November the OPC estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory reporting — and that didn’t include the LifeLabs breach.
Small wonder Ed Dubrovsky, managing director for incident response at Toronto-based Cytelligence said “unfortunately it’s been an amazing year” — for attackers.
Among the publicly-reported incidents
In August two people were arrested after a data breach at Quebec’s tax collection agency affecting 23,000 past and present employees at Revenu Québec. Most of the data were names and social insurance numbers. The province said an internal investigation showed the data wasn’t used for malicious purposes or sold to third parties;
Proof of the alarming new trend of ransomware being combined with data-stealing capability was evident when a Manitoba-based insurance company acknowledgedit was hit by ransomware by a gang that threatened to release customer information unless it was paid;
Questions were raised about the dealings of some organizations with suppliers. In December the city of Hamilton, Ont., notified residents of a potential disclosure of their personal information through Alectra Utilities, which provides water billing service for the municipality. According to a news report an India-based subcontractor to Alectra had access to customer data it held, and there may have been other subcontractors whose staff could also see personal data. The incident raised questions of consent;
Nova Scotia’s privacy commissioner blamed the government for not doing enough security testing before making a new provincial Freedom of Information website live, allowing two people to hack the site in 2018 and make off with 7,000 documents including personal information of 740 people;
The U.S. increased pressure on Canada not to allow Canadian wireless carriers to buy wireless network equipment from Chinese manufacturer Huawei for security reasons. A decision will likely be tied to the outcome of a Vancouver extradition hearing for Huawei’s CFO and the detention by China of two Canadians;
To help improve the security maturity of small and medium-sized businesses the federal government launched a cyber certification program. The hope is it will also increase public confidence in Canadian firms selling products online.
Dubrovsky sees some complacency in the attitude of Canadians and organizations. “We’re just accepting this is a risk,” as a result of the almost daily stories of breaches. “Unfortunately I don’t think there’s enough being done, still” by IT departments. “We don’t understand the threat actors are also ramping up both the damage they’re causing and the monetary demands.”
TORONTO — Andrew Agencies Ltd., an insurance firm that operates in the Prairies, was recently targeted in a ransomware attack but says no personal information was taken.
Dave Schioler, the executive vice president and general counsel for Andrew Agencies, confirmed the security breach in an email statement to CTVNews.ca on Wednesday.
“We have uncovered no evidence of sensitive personal information or data being stolen or otherwise compromised,” he said in the statement. “We can advise that the incident has had minimal impact on our operations.”
Andrew Agencies, a full-service insurance and financial services firm, operates 18 locations in Alberta, Manitoba and Saskatchewan.
A hacker group known as Maze has taken credit for the attack online. The group was reportedly behind a ransomware attack that recently targeted the City of Pensacola, Fla.
Schioler said that Andrew Agencies did not pay a “ransom as part of the recovery effort.”
“We have taken this matter very seriously and have expended considerable resources in the investigation and remediation of this incident, including the use of third parties with expertise in similar incidents,” the statement reads.
In LifeLabs’ case, an estimated 15 million customers are believed to have been affected, with passwords, birthdays, health card numbers and even lab results potentially being accessed.
Brett Callow, a threat analyst with anti-virus software company Emsisoft, says while many of these types of attacks go unreported, it’s very likely there has been an increase.
“Most ransomware attacks are not specifically targeted and, as there’s been an increase in attacks on the public sector, it would seem inevitable that there has been an increase in attacks on smaller businesses too,” he said in an email statement to CTVNews.ca.
According to a report released this week by Emsisoft, at least 948 government agencies, educational institutes, and health-care providers were impacted by ransomware attacks in the U.S. in 2019. Emsisoft didn’t have information on the number of these types of attacks in Canada.
Callow says that in about 90 per cent of these cases, hackers are perpetrating these attacks through “email attachments or improperly secured remote access solutions.”
So how can companies and municipalities protect themselves from these types of attacks? Well, Callow says a good starting point is email filtering and training staff how to spot potentially hazardous emails.
“The fact that ransomware groups are now stealing data as well as encrypting it makes prevention and detection more critical than ever,” Callow says.
SHOULD COMPANIES PAY A HACKER’S RANSOM?
In short, no, says Callow, because there’s a lot of unknowns.
“There is no guarantee that the decryption tool supplied by the cybercriminals will work or that they’ll even supply one.”
Callow added that every time a company pays for their data back, they incentivize these types of cyberattacks. However, he admits that some companies have no choice and have to take the risk because it may be the only option.
“For as long as companies pay ransoms, ransomware attacks will continue. The only way to stop the attacks is to make them unprofitable.”
Clients to Gain Greater Insight into the Effectiveness of Cybersecurity Investments
Marsh, the world’s leading insurance broker and risk adviser, announced the launch of an enhanced suite of cyber risk quantification consulting capabilities that offer clients new insight into the impact of their cybersecurity investments.
The enhanced consulting capabilities are powered by Blue[i] Cyber, a new cyber risk analytics engine that integrates Marsh’s market-leading cyber risk quantification models with X-Analytics, Secure Systems Innovation Corporation (SSIC)’s patented cyber risk model for which Marsh is the exclusive insurance broker and risk consulting provider.
With these enhanced cyber risk consulting capabilities, Marsh clients for the first time will be able to quickly and easily:
Evaluate the effectiveness of cybersecurity controls and prioritize risk mitigation accordingly.
Engage in data-driven “what-if” scenarios to evaluate existing and future cyber investments.
Evolve cybersecurity from technical jargon to a board-level conversation.
Meet cyber risk disclosures and reporting requirements more easily.
Use financial analysis of cyber risk exposure to inform their risk management strategies, including risk mitigation and risk transfer decisions.
“Although cyber often ranks high on risk agendas, many organizations struggle to understand how their cybersecurity strategy impacts their financial exposure to cyber risk,” said Reid Sawyer, US Cyber Risk Consulting Practice Leader, Marsh. “With Marsh’s enhanced quantification consulting capabilities, clients will be able to gain greater clarity into the impact their cybersecurity investments have on risk reduction and make more informed cyber risk capital allocation decisions.”
The enhanced cyber risk quantification consulting capabilities powered by Blue[i] Cyber are immediately available in the US, Canada, and Europe.
Marsh is the world’s leading insurance broker and risk adviser. With over 35,000 colleagues operating in more than 130 countries, Marsh serves commercial and individual clients with data driven risk solutions and advisory services. Marsh is a business of Marsh & McLennan Companies (NYSE: MMC), the leading global professional services firm in the areas of risk, strategy and people. With annual revenue approaching US$17 billion and 76,000 colleagues worldwide, MMC helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses: Marsh, Guy Carpenter, Mercer, and Oliver Wyman. Follow Marsh on Twitter @MarshGlobal; LinkedIn; Facebook; and YouTube, or subscribe to BRINK.
Thomson said the RCMP are seeing a spike in these kinds of scams, but instead of the CRA, the fraudsters claim to be from Service Canada.
“The Service Canada scam I’m seeing as the evolution of the CRA scam,” Thomson said.
Fraudsters tell victims their social insurance number (SIN) is compromised and then attempt a two-part scam.
First, they’ll attempt to coax your name, date of birth, SIN and other personal information from you.
Then they’ll say police or investigators need to follow up, which later turns into a demand for cash. Thomson said that usually takes the form of fraudsters telling victims to move money into a “safe account.”
Like with the CRA scam, Thomson said Canadian agencies wouldn’t call and ask for personal information.
Online shopping scams
As more and more shoppers turn to the internet to find that perfect holiday gift, fraudsters are taking notice.
Thomson said one scam comes in the form of an unbelievable offer for a wish-list item — but often it’s counterfeit or of an inferior quality.
To avoid being duped, Thomson recommends only shopping at well-known websites, reading reviews on lesser-known ones first, and using payment programs that have credit card protection.
“If a deal seems too good to be true, it probably is,” he said.
This scam typically preys on victims looking for extra cash during the holidays.
Fraudsters offer loans, Thomson said, and then either take personal information or begin to demand payments.
Thomson advises people to be cautious and only seek loans from credible providers.