Six months after cyberattack, LifeLabs says it has appointed a CISO and rolled out new security policies

Six months after cyberattack, LifeLabs says it has appointed a CISO and rolled out new security policies

ITworld Canada

Half a year after suffering arguably the worst data breach in Canadian history, LifeLabs provided its customers with an update on what it’s doing to make sure history isn’t repeated.

In an email obtained by IT World Canada, LifeLabs chief executive officer Charles Brown released a statement to customers on June 11, noting “I cannot change what happened, but I assure you that I have made every effort toward making change to provide you services you can trust.”

Here is the list of changes LifeLabs is introducing, according to the email:

Part of an email from June 11 sent to LifeLabs customers. According to his LinkedIn profile, LifeLabs’ former senior IT manager was appointed to be the CISO last December.

Brown also wrote that the breach delivered LifeLabs a stern reminder that “we must continuously work to protect ourselves against cybercrime” and that “data protection and privacy are now central to everything we do.”

The update from LifeLabs comes on the heels of a report from data protection company Veritas that says public consumers are seeking apologies, fines and even prison sentences for CEOs who fail to protect their businesses. Forty per cent of consumers hold business leaders personally responsible for ransomware attacks businesses suffer, according to the Veritas survey, which interviewed roughly 12,000 consumers. Thirty per cent would demand the CEO be banned from running a company if it suffered a cyberattack. Twenty-three per cent of those surveyed want to send CEOs to prison for mishandling data.

And despite nearly 90 per cent of respondents in a recent survey conducted by The Office of the Privacy Commissioner of Canada (OPC) saying customer privacy is an important corporate objective, only 60 per cent of those businesses say they have procedures in place to respond to customers’ requests to access their personal information.

Source: IT World Canada

Shaw informs customers of data breach six months after incident

ZACH LAING | The Calgary Herald

Some Shaw customers received letters in the mail this week saying some of their customer information was breached six months ago, Postmedia has learned.

The breach happened on June 22, 2019, when a Shaw employee had their corporate laptop stolen. In a letter to affected customers, Shaw stated the laptop contained “a limited amount of customer information — including customer names, account numbers, a list of services they subscribe to with Shaw, and whether their accounts were active or closed.”

The letter said the risk was believed to be “very low” and recommended users change passwords and enable two-step verification on their accounts.

In a statement to Postmedia Friday, Shaw said the laptop contained no financial information.

“These documents did not include any customer financial information or personal identifiers. Over the past week, we’ve informed our customers of the incident and asked them to take precautionary measures to ensure their account information remains secure,” they added.

Shaw says their investigation into the matter was complex and took several months to conclude.

“Following our detailed investigation, we have no evidence of misuse of any information contained in the documents on the laptop, and believe the risk to our customers is very low,” they stated, adding they continue to work with local authorities to locate the stolen laptop.

The breach comes after Shaw-owned Freedom Mobile suffered a data breach affecting 15,000 customers in late March. Freedom said at the time a “very limited amount” of customer data was exposed as a result of a misconfigured server.

When asked why it took six months for customers to be informed, nor how many customers were affected, Shaw did not respond.

The Office of the Information and Privacy Commissioner of Alberta said in a statement there was no record of a breach reported by Shaw Communications to them since June but that since Shaw is a federally regulated entity, they may have been required to report the breach to the federal privacy commissioner.

Quebec-based credit union federation learned of data breach from police

Read more

Bank breaches highlight rise of cyber threats as new exploitation strategies emerge

Apparent attempts to extort two major Canadian banks highlight the increasing threat and variety of cyberattacks against major companies.

Attacks against BMO and CIBC-owned Simplii _ that compromised the information of up to a combined 90,000 Canadians _ made public Monday, appear to be the latest in a number of high-profile ransom attacks. The attacks have the banks in damage control mode, prompting them to assuage client concern about the safety of Canadian accounts.

CBC reported that it received a letter from someone who said they demanded a $1-million ransom from the targeted banks.

The banks would not confirm the CBC report Tuesday. BMO said only that a `”threat” was made, but it has a policy of not making payments to fraudsters, while Simplii was similarly cryptic, saying only that fraudsters may have electronically accessed some data, but that its practice is not to pay ransom demands.

Both banks said they both took additional security measures after learning of the potential breach and would be directly contacting customers whose accounts may have been compromised. Royal Bank, Scotiabank and Toronto-Dominion Bank have said they have no indication they have been affected.

The apparent extortion attempt against BMO and CIBC’s direct-banking brand Simplii comes after a string of other high-profile pay-for-data attempts.

Recent examples include a failed attempt at Uber to pay off hackers _ only for the company to later reveal that some 815,000 Canadians had their information compromised as part of a global attack, and the infamous cyberattack on cheating website Ashley Madison, which did not comply with hackers’ demands to close the website, resulting in the exposure of personal information of millions of users.

Smaller organizations are also falling victim to hacking payment scams, including the University of Calgary, which paid $20,000 to have its computer systems unlocked after a ransomware attack in 2016.

The risks are clearly on the rise, said cybersecurity expert Satyamoorthy Kabilan at the Conference Board of Canada.

“In terms of cyber incidents overall, whether it’s breaches, whether it’s these sorts of attacks, whether it’s standard ransomware, that’s skyrocketing.”

However, the incident involving BMO and Simplii varies from more standard efforts to either use the data itself to profit or to try and sell it to third parties _ which makes it harder for companies to set up defensive plans, said Kabilan.

“Understanding tactics actually gives us an advantage in terms of defending ourselves, but if those are constantly varying, it starts putting up a few more challenges.”

Companies, especially banks, need to keep improving security efforts but also plan for resiliency and being able to respond in the event of an attack, he said.

“Companies have to wake up to the fact that there is no such thing as 100 per cent security in the cyber world. It’s a question of when and how bad.”

BMO and Simplii did the right thing in being quick to assure customers that their money is safe and that they’re working diligently to improve security, said Barry Waite, chair of the communications department at Centennial College.

Both banks said they’d directly reach out to affected customers and are co-ordinating with officials to respond to the incident and protect clients.

Demonstrating the safety of banking services will become increasingly important as they roll out more digital products, said Waite.

“This is important for the whole banking industry, demonstrating that as they increase technology, they’re introducing new apps, that they have the best security in place.”

The whole banking sector is looking to improve digital security in light of such threats, Scotiabank CFO Sean McGuckin said on a media conference call discussing its quarterly results.

“There’s a very open dialogue amongst financial institutions around cyber threats. So we are all quite open and learning and sharing from each other.”

BMO and CIBC’s Simplii warn fraudsters may have accessed clients’ data

Two of Canada’s biggest banks warned Monday that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers.

The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.

“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster,” said spokesman Paul Gammal in an emailed statement Monday, May 28, 2018.

“A threat was made. Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers,” he said.

The bank said it believes the attack originated outside Canada, but did not elaborate on the type of data they accessed.

Gammal said the bank is conducting a thorough investigation and is working with the relevant authorities.

The disclosure followed a warning from CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.

Simplii said Monday it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring, adding it is working with the relevant authorities.

Gammal said the potential breach at BMO appears to be related to the CIBC issue. Royal Bank, Scotiabank and Toronto-Dominion Bank said they have no indication they were affected.

Both BMO and CIBC said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.

“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an emailed statement.

Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.

“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”

The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.

“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.

“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”

Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.

CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.

The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.

Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.

In November, ride-sharing company Uber said hackers stole names, email addresses and cellphone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.

New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.” Previously, companies that had been hacked had been alerting the public on their own timeline.

Bell Canada alert prompts RCMP, privacy watchdog to investigate data breach

By David Paddon

THE CANADIAN PRESS

TORONTO _ The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information.

Media reports put the number at about 100,000 but RCMP spokeswoman Stephanie Dumoulin, at the police force’s national division in Ottawa, and the Office of the Privacy Commissioner said that they couldn’t disclose details.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.

Bell Canada’s representatives have alerted customers who were affected, but didn’t answer questions about how many customers were impacted, when the breach occurred, or if the data release was related to an earlier breach last year.

Bell also told customers that additional security, authentication and identification requirements have been implemented.

“When discussing your account with our service representatives, you will be asked for this additional information to verify your identity,” its emailed notice to customers said.

Katy Anderson, a Calgary-based digital rights advocate with OpenMedia, said she’s glad Bell is implementing additional security checks.

“However, this is the second time the company has been hit by hackers in eight months,” Anderson said in a phone interview.

Bell Canada revealed in May that an anonymous hacker had obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.

Anderson said that the public should realize that centralized data is vulnerable, by its nature.

“When a breach like this happens, which we’re seeing more and more, it’s always a good reminder to change your passwords, update your security questions with things only you would know, and consider using a password manager,” Anderson said.

Bell’s latest data breach follows several other high-profile hacks, including at credit monitoring company Equifax and car-hailing service Uber, though those companies did not immediately disclose the breaches.

The federal government is in the process of reviewing changes to the Personal Information Protection and Electronic Documents Act that would require companies to notify people in the event of a serious data breach.

But until those come into force, Alberta is the only province in Canada that has mandatory reporting requirements for private-sector companies.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest