As we near the end of the year, it’s important to bear in mind the holiday season often comes with an increase in cyber risks. A recent report sheds light on a ransomware attack launched last Christmas.
On December 25, 2021, a Crown corporation in Saskatchewan received a ransom demand after its systems were breached, according to an investigation report by the Office of the Saskatchewan Information and Privacy Commissioner. The breach took place in November 2021, compromising the personal information of approximately 40,000 people, but wasn’t detected until the ransom demand.
While the Crown corporation promptly reported the breach and notified affected individuals, the Commissioner found some shortcomings in the organization’s cybersecurity strategy. The Commissioner also provided some comments and recommendations that are helpful for all organizations as they brace for increased cybersecurity attacks this holiday season.
Failure to Patch a Critical Vulnerability
According to the report, the Crown corporation failed to patch a critical vulnerability in its content management system (CMS), allowing hackers to enter the CMS undetected and gain access to credit card information, employee data and supplier agreements – much of which ended up on the dark web.
The Commissioner concluded that the Crown corporation’s failure to patch a critical vulnerability was one of the root causes of the breach, noting that 78 days had elapsed between a security bulletin about the vulnerability being published and the Crown corporation discovering the cyberattack.
Failure to Detect Attackers’ Activity
The Commissioner concluded that another root cause of the breach was the Crown corporation’s failure to detect the presence of the attackers. Although the corporation had ongoing monitoring processes in place, the Commissioner found that those processes were ineffective because the hackers used a system vulnerability to gain access undetected.
Unnecessary Retention of Data
Many of the people affected by the breach were past employees and regulatory clients the Crown corporation had not been in contact with for the past five years. The number of people affected by the breach would have been far smaller if the Crown corporation hadn’t retained personal information indefinitely, the Commissioner noted.
Recommendations Include Data Retention Policy
In its report, the Commissioner made a number of recommendations aimed at helping the Crown corporation avoid future breaches, including:
- Signing up for email notifications of security bulletins
- Ensuring it has sufficient resources to respond promptly to system vulnerabilities
- Frequently assessing its ability to monitor and block suspicious activity
- Implementing a data retention policy to prevent the retention of unnecessary data
Any organization that collects personal information would be well advised to follow these recommendations – especially as we head into the holiday season, which is often accompanied by an increase in cyber incidents. Our Cybersecurity Checklist can help you assess your organization’s preparedness for a cyberattack. To learn more about how to prepare for and respond to cyberattacks, contact a member of our Privacy, Data Protection & Cybersecurity team.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.