Science

Hackers were paid ransom after attack on Canadian insurance firm, court documents reveal

A Canadian insurance company suffered a ransomware attack last fall that saw 1,000 of its computers infected, raising questions about what sensitive data may have been accessed by hackers and whether the firm disclosed the breach. The case has only now come to light because of recent court filings in Britain.

Canadian company paid $950,000 US ransom through cyber insurer; extent of data breach remains unclear

A person types at a keyboard
An unnamed Canadian insurance company was hit with a ransomware attack in October. The incident only recently came to light through court filings in the U.K. (Trevor Brine/CBC)

A Canadian insurance company suffered a ransomware attack last fall that saw 1,000 of its computers infected, raising questions about what sensitive data may have been accessed by hackers and whether the firm disclosed the breach to its customers. The case has only now come to light because of recent court filings in Britain.

The unnamed firm had itself purchased coverage in case of a cyberattack. The company's U.K.-based reinsurer paid $950,000 US to unlock the hijacked files and is now fighting to get the money back from criminals, according to court documents stemming from a hearing held in private.

"A hacker managed to infiltrate and bypass the firewall of [the Canadian company] and installed malware called BitPaymer," reads a Dec. 13 ruling from England's High Court in London. The document was published Jan. 17 and the case was first reported by the New Money Review.

British Justice Simon Bryan allowed the Canadian firm and its U.K.-based reinsurer to remain unnamed in public court documents. (U.K. Judicial Office)

The ruling simply refers to the Canadian firm as "the Insured Customer." Its reinsurer also goes unnamed, having asked the court for anonymity. The case does not appear related to Andrew Agencies, a Manitoba-based insurance brokerage which recently acknowledged it had fallen victim to a separate ransomware incident.

The attack on the unnamed Canadian firm became apparent on Oct. 10, 2019, when computers began locking up and displaying a ransom note — a typical occurrence during such incidents.

"Your network was hacked and encrypted," the message read, demanding a payment to release the machines and warning "no free decryption software is available on the web." The cybercriminals threatened to encrypt the company's files permanently if the episode were disclosed to the public, according to the court ruling.

The British reinsurer ultimately paid the hackers a $950,000 US ransom — negotiated down from an initial demand of $1.2 million — in the digital currency bitcoin. The Canadian company was then supplied with a digital decryption tool. It worked, but it took time. 

"The information before me is that it took decryption of 20 servers of the Insured Customer five days and 10 business days for 1,000 desktop computers," Justice Simon Bryan wrote.

The case was heard by the Commercial Court, part of England's High Court of Justice, based at the Rolls Building in London. (Gordon Bell/Shutterstock)

Attacks usually stay secret 

While ransomware attacks have grown more common, disclosures remain rare. Companies tend to shy away from publicly announcing they were targeted, for fear they could be struck again, or to avoid worrying customers.

Brett Callow, a B.C.-based spokesperson for the international cybersecurity firm Emsisoft, said only 10-20 per cent of firms hit with ransomware let it be known publicly.

"What's really alarming is companies aren't disclosing these incidents, so customers, vendors and business partners aren't aware that their data has fallen into the hands of cybercriminals," Callow wrote in an email.

In the case of the insurance firm, it's unclear what data may have been accessed by hackers and whether they've held onto it since the computers were unlocked. Depending on the type of insurance the firm deals with, the machines could have been storing sensitive information on customers' homes, health or finances.

Since 2018, Canadian privacy law requires companies to report to the Office of the Privacy Commissioner (OPC) any breach of personal information that could "pose a real risk of significant harm to individuals."

On Wednesday, an OPC spokesperson declined to say whether this case had been reported, citing Canadian privacy laws.

The Canadian company isn't alone in buying coverage specifically for cyberattacks. What makes this case unusual is that it landed in court, with the British reinsurer attempting to recoup the ransom amount. So far, it successfully obtained an injunction to freeze much of the bitcoin payment.

Chainalysis, a U.S. firm which carries out digital currency investigations, confirmed to CBC News it helped trace 96 bitcoins (more than $890,000 US as of Wednesday) to an unnamed user of a cryptocurrency exchange site.

No hacker is identified by name in the court papers and a Chainalysis spokesperson declined to provide further details.

Should victims pay the ransom?

Cybersecurity experts typically recommend paying no ransom, since there's no guarantee it will ensure any data is unlocked. What's more, it can encourage hackers to re-target victims who have been willing to pay.

The RCMP strongly suggest victims refuse to pay, but acknowledges in online guidance that "there may be legitimate reasons for paying the ransom, such as the potential harm of not having access to the data as a result of no backup."

Get in touch by email: thomas.daigle@cbc.ca.

ABOUT THE AUTHOR

Thomas Daigle

Senior Reporter

Thomas is a CBC News reporter based in Toronto. In recent years, he has covered some of the biggest stories in the world, from the 2015 Paris attacks to the Tokyo Olympics and the funeral of Queen Elizabeth II. He's reported from the Lac-Mégantic rail disaster, the Freedom Convoy protest in Ottawa and the Pope's visit to Canada aimed at reconciliation with Indigenous people. Thomas can be reached at thomas.daigle@cbc.ca.