No country is immune from cyber attacks. But 2019 saw Canadian organizations victimized like never before.
Arguably the worst breach — not only in 2019 one of the worst in Canadian history — was the theft of personal information on 15 million people in Ontario and B.C. held by medical test laboratory LifeLabs. This data included patient names, addresses, email addresses, login passwords, dates of birth, health card numbers and in some cases lab test results.
The second worse breach was the theft by a suspected employee of information on all 4.2 personal banking customers in Quebec and Ontario of the Dejardins credit union.
Click here to read more about what to expect in 2020 across the IT industry.
Copied were names, addresses, birthdates, social insurance numbers, email addresses and information about transaction habits. Not stolen were passwords, identification questions or secret codes.
While more people were victims of the 2015 hack of Toronto-based dating site Ashley Madison, it isn’t a financial or health institution and subscribers didn’t have to give real names.
Getting a handle on how many data breaches there are in this country is getting better now that most organizations have to report them to the Office of the Federal Privacy Commissioner (OPC).
In November the OPC estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory reporting — and that didn’t include the LifeLabs breach.
Small wonder Ed Dubrovsky, managing director for incident response at Toronto-based Cytelligence said “unfortunately it’s been an amazing year” — for attackers.
Among the publicly-reported incidents
- In August two people were arrested after a data breach at Quebec’s tax collection agency affecting 23,000 past and present employees at Revenu Québec. Most of the data were names and social insurance numbers. The province said an internal investigation showed the data wasn’t used for malicious purposes or sold to third parties;
- Public and private sector organizations were victims of ransomware. The city of Stratford, Ont., acknowledged paying the equivalent of $75,000 in bitcoin following an attack in April. Toronto’s Michael Garron Hospital was another victim, as were the government of Nunavut and the city of Woodstock, Ont.
- Proof of the alarming new trend of ransomware being combined with data-stealing capability was evident when a Manitoba-based insurance company acknowledged it was hit by ransomware by a gang that threatened to release customer information unless it was paid;
- Organizations were also stung business email compromise scams, where an employee is convinced to change the bank account to where the money for invoices is usually sent. In August the city of Saskatoon admitted it was victimized for just over $1 million. In May the city of Burlington, Ont. acknowledged it was hit the same way; In November, Waterloo Brewing, an Ontario maker of beers, said a staffer wired $2.1 million to a supposed creditor’s account. Organizations must have business controls over verifying requested changes in payment procedure to prevent this from happening;
- The University of Ottawa’s online student news site was temporarily stripped of copy after the site was hacked;
- Attacks through suppliers were responsible for many incidents. Freedom Mobile blamed a third party for hosting an unprotected database with personal and credit card information on thousands of the wireless carrier’s subscribers on the Internet. TransUnion Canada said attackers compromised a Winnipeg leasing company to get access to personal information on some 37,000 Canadians held by the credit reporting agency; Verizon’s annual Data Breach Investigations Report on thousands of incidents around the world, noted that 21 per cent of data breaches are caused by errors, either by employees or third parties;
- Questions were raised about the dealings of some organizations with suppliers. In December the city of Hamilton, Ont., notified residents of a potential disclosure of their personal information through Alectra Utilities, which provides water billing service for the municipality. According to a news report an India-based subcontractor to Alectra had access to customer data it held, and there may have been other subcontractors whose staff could also see personal data. The incident raised questions of consent;
- Nova Scotia’s privacy commissioner blamed the government for not doing enough security testing before making a new provincial Freedom of Information website live, allowing two people to hack the site in 2018 and make off with 7,000 documents including personal information of 740 people;
- Think small businesses won’t be attacked? Consider our report on a Halifax vegan restaurant whose Facebook page was defaced.
Among other newsworthy events in 2019
- The U.S. increased pressure on Canada not to allow Canadian wireless carriers to buy wireless network equipment from Chinese manufacturer Huawei for security reasons. A decision will likely be tied to the outcome of a Vancouver extradition hearing for Huawei’s CFO and the detention by China of two Canadians;
- A Bank of Canada executive was among many experts urging organizations to collaborate more on cyber best practices and threat information. In a related move the Canadian Cyber Threat Exchange (CCTX) lowered fees for public sector agencies;
- To help improve the security maturity of small and medium-sized businesses the federal government launched a cyber certification program. The hope is it will also increase public confidence in Canadian firms selling products online.
Dubrovsky sees some complacency in the attitude of Canadians and organizations. “We’re just accepting this is a risk,” as a result of the almost daily stories of breaches. “Unfortunately I don’t think there’s enough being done, still” by IT departments. “We don’t understand the threat actors are also ramping up both the damage they’re causing and the monetary demands.”
“Frequently when I’m at conferences I watch other cybersecurity experts give a talk, I look across the room and I see a lot of people tuned out — and I’m talking about leadership. That’s a problem because leadership needs to understand the risks are very significant.”
“This past year was not hopeful at all,” says former Ontario privacy commissioner turned consultant Ann Cavoukian. “There’s a growing trust deficit, both in terms of the public and the private sector” on privacy. That includes the amount of personal data collected by platforms like Facebook and Google and use of facial recognition software by police departments.
Jessica Ireland, who heads the London, Ont.-based security team at Info-Tech research, says she still comes across organizations that don’t take cybersecurity seriously. “I’m shocked sometimes to hear executives say it’s not important, it’s not a priority. That’s a little bit behind the times. Security should be table stakes for organizations these days . . . You need to be thinking about the privacy of your client data, your customer data, your employee data.”
Looking ahead, Dubrovsky says in 2020 infosec pros will see more attacks using combined tactics, like ransomware that includes data-stealing capabilities by the Maze group and the strain of ransomware dubbed Sodinokibi, which also infects and uses anti-virus software for spreading malware.
Fernando Montenegro, a Toronto-based information security analyst at 451 Research, sees security vendor consolidation as providers look to add more automation and orchestration to their services. He gave as examples Palo Alto Networks buying Demisto, Elastic acquiring endpoint prevention and detection provider Endgame, SIEM provider Sumo Logic buying cloud SOC provider JASK Labs and Tenable buying operational technology security provider Indegy
“In my view solving a lot of what we describe as a skills shortage is going to be done by automation and decentralization. If you look at how teams are looking to deploy modern solutions they are doing it in a decentralized fashion, by decentralizing the work of cybersecurity.”
Overall he’s optimistic about the fight against attackers. Endpoints are getting better, he argues, defences are improving and if infections can be contained it will help defenders. Dubrovsky also sees hope, noting cybersecurity spending is increasing, although mainly in large organizations.
But, he adds, many organizations that are successfully attacked worry don’t worry enough about securing their systems. “The only thing they care about is how do we get our systems back” and not ensuring all vulnerabilities are plugged. Failure to do that, he warned, will mean the network will be penetrated again. “They don’t understand they are dealing criminal organizations that are now very well funded, And not securing themselves against the next attack is really foolhardy.”
Ireland sees something similar. “We are still having conversations about the basics of security. We recently ran some [organization] surveys on priorities for the New Year and what came up wasn’t fancy — it wasn’t AI or IoT security or anything like that — it was the basics around data security, risk management, email security.”
“I think a lot of organizations have the right tools in place but perhaps haven’t put the right response processes in place to support those tools when something happens.”
On the privacy side, the newly-elected federal Liberal government has a few promises to fulfill, including the creation of a Digital Charter. Among other things, it would give consumers the right to transfer their personal data from one company to another in a digital format. It also proposes giving people the explicit right to request the deletion of information about them that they provided, with some caveats. During the election, the Liberals also promised to increase the power of the federal privacy commissioner and create a data commissioner.
However, updating privacy legislation wasn’t mentioned as a priority in the new government’s Speech from the Throne.
Looming on the horizon is a European Union decision on whether the federal Personal Information Protection and Electronic Documents Act (PIPEDA) complies with the new EU General Data Protection Regulation (GDPR). The GDPR came into effect in May 2018. It is believed the EU would report within the first two years of the new regime whether the privacy legislation of other countries complies with GDPR, which could trigger required legislative changes.
Finally, Cavoukian says 2020 will see increased public worry about the amount of personal data collected by the public and private sector, and the use of video surveillance and facial recognition technology. “There’s a growing trust deficit, both in terms of the public and the private sector,” she said.
She noted that San Franciso and other U.S. cities have passed resolutions forbidding their departments from adopting facial recognition technology because it isn’t accurate. Protests against what she called “algorithmic discrimination” in predictive systems will increase in 2020, she said.