A southern Ontario regional government has confirmed it has been hit with a cyberattack.
The Regional Municipality of Durham, which provides regional services to eight local municipalities north of Lake Ontario including the City of Oshawa, said in an email it “recently became aware of a cybersecurity incident that occurred with a third-party software provider which impacted the region.”
A statement from the region’s communications department says they’ve contacted the “relevant authorities and regulators.”
“Our IT teams, working with the service provider, took immediate steps to secure our systems. The incident did not impact the Region’s core IT systems.
“Our experts are now investigating the matter to determine the information that may be involved and the impact of this incident. It is important to note that the vulnerability related to the service provider has been addressed and our systems have been secured.
“We are committed to protecting the privacy of all residents and we are taking this matter very seriously. We are sorry for the inconvenience this may cause affected parties.
The response came Friday following a query from IT World Canada after the Clop ransomware group this week posted what it said were copies of documents copied from the government.
While the Clop group is responsible for ransomware attacks, FireEye security researchers say Clop also allows other threat actors who have stolen data from organizations using the vulnerable Accellion FTA file transfer platform to use its website to post proof of theft documents from victim organizations. This is usually accompanied by a threat to embarrass the organization with the release of more documents unless a ransom is paid.
The region’s communications department didn’t respond at press time to an emailed question on whether the cyberattack was the result of an Accellion FTA compromise.
Two of the documents posted appear to be from Durham paramedic service listing patients’ names, addresses, dates of birth and healthcare numbers. Another document listed the names of students, their guardians and/or mothers and phone numbers.
UPDATE: Since the screenshots of those first documents were posted a few days ago the site posted 6.5GB of what is believed to be copies of all of the data captured by the attacker.
Brett Callow, a British Columbia-based threat researcher for Emsisoft, said speedy disclosure to possible victims of a data breach is always important, but it’s absolutely critical cases involving Clop as the group has a track record of using exfiltrated data to spear phish the third-party organizations to which it relates. Also, in multiple Accellion-related incidents, Clop has mass-emailed the individuals whose data was exposed in an attempt to get them to pressure the breached organization into paying – and, in some cases, done so before the organization disclosed the breach. That’s not how somebody should find out that their personal information has been compromised.
Durham Region has a combined population of about 650,000.