Sensitive personal data among thousands of files exposed in Elgin: Gonyou cybersecurity incident – London

A cybersecurity incident that left Elgin County’s website and email services offline throughout April resulted in the posting of thousands of county files, some containing highly sensitive personal information, on the dark web, Elgin’s chief administrative officer confirmed Monday.

County officials south of London, Ont., have kept quiet about the incident for the past few weeks but now say about 26,000 files and the information of about 300 people were compromised after a “unauthorized third party” gained access to his network.

Highly sensitive data about 33 people, including social insurance numbers, health card numbers and financial information, was also among the data released, Elgin chief executive Julie Gonyou said in an interview with Global. News.

“We are providing 12 months of credit monitoring and identity theft protection to 33 people whose sensitive information has been compromised,” Gonyou said Monday.

For the more than 260 other people affected, the compromised information included data that was not necessarily of great value to cybercriminals, but which could pose more reputational risks, such as performance reviews and termination letters, she said.

“Those affected were really current and former Elgin County staff, as well as current and former residents of our long-term care facilities. In long-term care facilities, five people have been affected,” Gonyou said. The county operates three long-term care facilities, including Bobier Villa, Elgin Mayor and Terrace Lodge.

“We took immediate action to notify these individuals… All notices were sent on Friday.”

County officials first confirmed that a “cybersecurity incident” had occurred in a memo that was distributed to staff on March 31 and obtained by the London Free Press.

In the memo, Gonyou wrote that a large amount of spam containing malicious attachments or links was sent to staff members and that an external consultant had been hired to investigate the incident and monitor data breaches.

On Monday, Gonyou said that after learning of the unauthorized network access, the network was shut down immediately on April 1 to mitigate further damage – a shutdown that would last until April 27, affecting the website and county courier services.

On May 3, Elgin officials were alerted by their cybersecurity consultant that information had been dumped on the dark web, she said.

“It was 26,000 files, some of which were not active. Really, it was a directory of files that was posted. We manually scoured and rated each of the 26,000 records for review against a set of criteria,” Gonyou said.

“I would say it was a very, very small percentage of the total volume of files that we host in the county. And it was sort of sampling across multiple different servers and different files.

There was no “rhyme or reason” as to which service areas were affected by the breach, Gonyou said, noting that the county provides about 25 different services. “It is difficult to discern whether certain areas have been more affected than others.”

Global News first reported in late April that a cybersecurity expert observed data claiming to belong to the county being posted on the dark web portal of notorious Russian ransomware group Conti.

The data allegedly downloaded included at least one 40 megabyte ZIP file titled “elgin_AccountsPayable”. Global News could not independently verify the authenticity of the Conti list or the data allegedly released, as it appeared to have already been deleted the following day.

The cause of the cybersecurity incident is under investigation, but Gonyou says the incident was not, to their knowledge, a ransomware attack.

“We shut down our network, which I think is very different from a ransomware attack, where I think under these circumstances cybercriminals or threat actors shut down your system or hold your information for ransom. “, she said. The county did not pay a ransom and its systems were brought back online on April 27, she said.

Trending Stories

• How a single company ‘silently’ took over the world of visa processing in an era of record migration

• Ukraine to evacuate remaining troops from Mariupol, ceding control of beleaguered city

A cyber threat expert, however, says it all depends on your definition of ransomware.

“Ransomware has evolved over the past two years,” said Brett Callow, Vancouver Island-based threat analyst for cybersecurity firm Emsisoft.

“In the past, they simply blocked the networks of their targets. They still do this sometimes, but they also steal a copy of the data and use it as additional leverage to extort payment. Sometimes they completely skip the encryption process and just steal the data.

When asked if Conti was suspected of having been involved in the incident, or if contact had been made with the group either by the county or its cybersecurity consultant, Gonyou declined to comment, citing a ongoing investigation by the Ontario Provincial Police with which the county is cooperating.

Gonyou said Monday that she did not know if any of the compromised information had been taken offline.

“I think once it’s released, it…presents a risk regardless,” she said.

Since publishing Conti’s initial story in late April, Global News has learned that alleged Elgin data has also been published on the dark web portal of another ransomware group. Global News does not identify the group because the data was still online Monday afternoon.

This data dump, measuring approximately 50 gigabytes, also contains an “elgin_AccountsPayable” folder, as well as directories labeled “Engineering”, “elgin_data”, and “elgin_hr”.

“Thank you for that information. I’ll follow up, but have no further comment,” Gonyou said when told about the other data dump. Gonyou also declined to say whether the county had had any contact with a ransomware group, citing the OPP investigation.

When asked if it was unusual to see data posted on the portals of two different ransomware groups, Callow explained that most ransomware groups operate on a ransomware-as-a-service basis.

“You have the team creating the ransomware, and they’re actually renting it out to other people who are using it in their attacks” – affiliates – “and they’re all splitting the proceeds among themselves,” he said. he declares.

“One possibility here is that an affiliate carried out the attack using Conti ransomware, Conti gave it up, and so the affiliates turned it over to another ransomware group to try and extort money .”

According to the Canadian Center for Cyber ​​Security, Conti is considered “one of the most sophisticated ransomware groups in operation” and frequently targets hospitals, governments, medical networks and other essential services.

Speaking to Global News last month, Callow said it was unlikely Elgin was targeted for any particular reason, and that an overwhelming majority of attacks are carried out randomly via malicious links in e-mails. -phishing emails or unpatched vulnerabilities on Internet-connected networks.

Following the cybersecurity incident, Gonyou said the county has implemented additional safeguards and protections for its computer network.

“We carry out regular audits of health systems and improve the training of our staff across the company. Additionally, our work with our external cybersecurity team is ongoing, so we will continue to investigate the matter,” she said.

“We also look forward to recommendations from our consultants.”

With the rise in the prevalence of cyberattacks in businesses large and small, Gonyou says other organizations should learn from Elgin’s case and be hyper-vigilant about cyberthreats.

“Elgin County had robust systems in place such that threat actors or perpetrators use very sophisticated means to infiltrate computer systems and networks,” she said.

According to the Canadian Center for Cyber ​​Security (CCCS), ransomware is the most common cyber threat Canadians face.

“Ransomware is not a new problem. Observed as far back as 1989, over the past 15 years ransomware has become one of the most popular types of cybercrime,” said a Cyber ​​Threat Bulletin 2021 from CCCS readings.

The bulletin notes that ransomware-as-a-service operations have helped increase the impact and scale of ransomware attacks in recent years. According to the agency, global ransomware attacks increased by 151% in the first half of 2021 compared to the same period in 2020.

“The Cyber ​​Center is aware of 235 ransomware incidents against Canadian victims from January 1 to November 16, 2021. More than half of these victims were critical infrastructure providers,” the bulletin said, adding that the most attacks go unreported and victims can be hit multiple times. time.

“Despite a temporary lull following international action, we believe that ransomware will continue to pose a threat to the national security and economic prosperity of Canada and its allies in 2022, as it remains a profitable business for cybercriminals. .”