Elgin data breach ‘devastating’ for victims at risk of identity theft: experts

Content of the article

The theft of personal data from Elgin County could prove “devastating” for those affected, say tech analysts, who are also questioning the municipality for its lack of transparency in handling the crisis.

Advertisement 2

Content of the article

The personal information of 330 people, some highly sensitive, was compromised in a “cybersecurity incident” that crippled Elgin County’s website and messaging system for nearly a month, the county said.

The personal and business information of county employees and some residents and former residents of long-term care facilities has been dumped on the “dark web”, an area of ​​the internet accessible only through special browsers that allow users to share information anonymously, a county official said.

Of the 330 people, 33 cases are “highly sensitive”, said Julie Gonyou, administrative director of Elgin. Information accessed included performance reviews and “sensitive employment-type correspondence” that puts some affected individuals at reputational risk, she said.

Advertisement 3

Content of the article

“It can be devastating in so many ways, personal, financial and emotional. It can be exhausting,” said Michael Katchabaw, who teaches computer science at Western University.

Personal data may contain health records, financial information, work and employment assessments and any risk of being made public, he warned.

“With that information they can access credit cards, bank accounts, they can apply for a mortgage using a credit report. It can take a long time for someone to get over it,” he said.

These medical records can be deeply personal, detailing an addiction, illness or sexually transmitted disease, Katchabaw said.

“It’s a very big deal. It can have a far-reaching impact. Information has value. We’re in an era where data is more valuable than oil.

Advertisement 4

Content of the article

Ann Cavoukian, former privacy commissioner of Ontario and now executive director of the Global Privacy and Security By Design Centre, agreed that the breach could lead to identity theft and urged those affected to contact the police.

Whoever stole the data cannot use it for a year before striking, she warned.

“It is very concerning. There is no doubt that it leads to identity theft and it is a nightmare to clear your name, it can take years,” Cavoukian said.

She criticized the municipality for offering “very little transparency” about what happened and waiting a month before disclosing the leak.

“It’s very serious, it’s very sensitive information. People’s lives are seriously affected.

Elgin County Executive Mary French could not be reached for comment.

Advertisement 5

Content of the article

Covoukian asked Elgin County about hiring outside consultants, saying it needed staff to continuously monitor cybersecurity.

“They can’t let this go. They have to have people in-house to guard it on a day-to-day basis,” she said.

Carmi Levy, a technology analyst in London, agrees that the municipality dropped the ball by quickly addressing the problem and that it made the problem worse. He was aware of the incident on April 1 and his network was offline until April 27.

“They didn’t release anything about the incident until the compromised and highly sensitive personal data surfaced on the dark web. This violates all cyberattack best practices of sharing what you know, when you know, and be clear about your response plan,” Levy said.

Advertising 6

Content of the article

An internal county memo dated March 31, a copy of which was obtained by the London Free Press, said the county had hired an external consultant to help resolve a “cybersecurity incident” amid concerns over a increase in spam emails sent to staff containing malicious attachments. .

Elgin shut down its networks on April 1 and resumed operations on April 27, Gonyou said.

The county’s cybersecurity team notified officials on May 3 of the data dump on the dark web, she said.

The county issued a new statement Friday notifying the public of the “cybersecurity incident” and data breach.

It could be a phishing attack, ransomware, an intercepted and unencrypted message, a lost or stolen USB key or even a former employee angry at the municipality, a said Levi.

Advertising 7

Content of the article

“I’m leaning towards ransomware given that major systems have been offline for over a month,” he added.

As for next steps to deal with what could be a serious data breach, Levy suggests the municipality be more open about what happened and its strategy for preventing future breaches.

“What changes to people, processes and tools have they already implemented – and plan to put in place – to ensure that the risks that led to this event have been eliminated?” he said.

“Public sector IT professionals walk a fine line in terms of public disclosure. It’s clear there’s a lot more going on behind the curtain than what’s being shared with the public. This is concerning and it is difficult to determine not only what happened, but also whether, in fact, the county learned from the experience and succeeded in reducing the risk of recurrence. Stakeholders deserve better.

Advertising 8

Content of the article

The county said it has notified those whose data was leaked and the case is still being investigated by investigators.

The county did not provide any details about what the “cybersecurity incident” was, but Gonyou said it was not a “ransomware attack”.

“We didn’t have to make any payment for a decryption key or anything like that,” she said. She declined to comment further on the case, saying it was still being investigated by investigators.

The county has notified everyone whose information has been compromised, including the 33 people for whom the county was required by law to take this action, Gonyou said.

Elgin reported the incident to authorities, including the Ontario Provincial Police and the Information and Privacy Commissioner of Ontario.

Advertising 9

Content of the article

Elgin is not the first municipality in the region to be affected by a cybersecurity breach.

A cyberattack on Stratford’s computer systems in 2019 led to the city paying a ransom of more than $75,000 in Bitcoins, a digital currency, and another attack the same year on Woodstock ended up costing the city more than $667. $000, most of the cost came from hiring outside experts and paying overtime to staff.

Elgin is offering 12 months of credit and identity theft protection services to those affected by the breach.

Staff and residents are encouraged to report suspicious activity to the police and to the Canadian Anti-Fraud Center at antifraudcentre-centreantifraude.ca.

Advertisement

Advertisement 1

comments

Postmedia is committed to maintaining a lively yet civil discussion forum and encourages all readers to share their views on our articles. Comments can take up to an hour to be moderated before appearing on the site. We ask that you keep your comments relevant and respectful. We have enabled email notifications. You will now receive an email if you receive a reply to your comment, if there is an update to a comment thread you follow, or if a user follows you comments. See our Community Guidelines for more information and details on how to adjust your email settings.

About admin

Check Also

DITO says subscribers are now over 9 million

MANILA — DITO Telecommunity said on Friday it now has more than 9 million subscribers, …