SLGA business partners should have figured out on their own that their data may have been stolen: minister
Jim Reiter says the government followed the guidance of Sask. privacy commissioner
The minister responsible for the Saskatchewan Liquor and Gaming Authority (SLGA) says the Crown corporation didn't directly notify its business partners that their data may have been stolen in a hack because those companies should have figured it out on their own.
According to a Dec 28 news release, SLGA's computer systems were the target of a "cyber security incident" on Christmas Day. It said that at that time, "SLGA does not have any evidence that the security of any customer, employee or other personal data has been misused." The organization repeated that line in communications with business partners.
Three weeks after the hack, the organization alerted employees that their data may have been stolen and offered them credit monitoring services.
At that time, it gave no such notification to SLGA's suppliers, vendors or licensees.
Minister Jim Reiter said the public notification about the hack should have been sufficient for those businesses to know they may have been affected.
"I think it would be good business practices at all times to keep an eye on what's going on. I would be surprised if anyone in the liquor industry in Saskatchewan, with all the information that went out, wouldn't have been aware that there was a hack at SLGA," said Reiter on Monday.
SLGA gave 'indirect notification'
On Monday, CBC reported that the SLGA hackers had provided CBC with a package of what appeared to be internal SLGA documents. The hackers said this was a small sample of what they took.
Included in the package were a small number of credit card authorization forms for SLGA suppliers, which included their credit card numbers, expiry dates and security codes.
Suppliers contacted by CBC said they were shocked to learn that some of their confidential data had been taken in the hack. They said SLGA didn't notify them.
However, SLGA has pointed out that in recent days, it has indirectly notified at least some of its business partners on its website.
Three months after the hack, on March 22, SLGA posted a public notice on its website, warning gaming registrants and liquor and cannabis permit applicants that some of their personal confidential data may have been breached. SLGA warned that some health, financial, criminal and personal information may have fallen into the wrong hands.
In an email, SLGA told CBC it is required by law to notify people whose data may have been unlawfully accessed and may be misused. The organization said rather than notify the potential victims directly, it decided to use the "indirect notification" approach, posting an update on its website.
LISTEN | Afternoon Edition host Garth Materie talks to cybersecurity expert Brennan Schmidt about the SLGA hack:
SLGA says in a written statement on its website that Saskatchewan's privacy commissioner has given the thumbs up to this indirect approach in cases "where the privacy breach is potentially very large or you may not be able to identify the affected individuals."
The privacy commissioner told CBC his office is investigating the matter and will release the results of that investigation publicly.
The Opposition NDP's Nicole Sarauer criticized the minister for the Crown's failure to directly notify its business partners about the breach.
"The minister's response to this whole thing is a real joke," said Sarauer. "We see a lackadaisical attitude toward this sort of thing and a blame, almost, on the users of SLGA, the clients of SLGA. It really hurts our reputation in the business community."
Hack stalls SLGA's business
SLGA provided CBC with emails it sent to suppliers in the days and weeks following the hack. That correspondence provides a window into the chaos caused by the cyberattack.
While the Christmas Day hack didn't affect the payment system in its retail stores, it did affect many of its other systems.
According to a Dec. 28 news release, SLGA immediately disabled some of its computer systems and applications, and launched an investigation.
A Jan. 4 email to suppliers said SLGA had gone to a manual ordering system and had set up Gmail accounts for its employees, as its internal email system was down. The organization also had to rebuild its email list, as that was inaccessible.
The province's system of billing and collecting fees from vendors was also shut down.
Some liquor stores across the province also had trouble getting supply due to problems with the ordering system.
Despite those troubles, SLGA's President and CEO Susan Ross sent an all-staff email on Jan. 17 indicating that "we are pleased to report that recovery from this incident has gone well and that operations were only minimally impacted."
Ross also told employees that its investigation was indicating that "there is a risk that some personal information of employees may have been accessed by an unauthorized third party," so the organization was offering credit monitoring to its employees "out of an abundance of caution."
The hackers start calling
Charlene Callander, SLGA's VP of corporate services, alerted staff on March 11 that some employees had been receiving phone calls from someone claiming to be connected to the hack.
"The male caller, who speaks slowly and quite clearly, indicates he is aware that SLGA was previously 'hacked' and suggests he may have had involvement in that cyber incident," wrote Callander. She advised staff to "politely interrupt" and hang up.
On March 17, the hackers started reaching out to CBC by email, phone and then Telegram, a social media app.
They call their organization RansomHouse and claim to have encrypted SLGA's systems using ransomware.
"As far as we know their systems are still encrypted," the hackers wrote. "We've provided them a decryption tool earlier to restore a few of their files to show proof of concept."
The hackers have made a range of claims about how much data they have taken. At various times they've said they took 1.2, 1.5, and 2 terabytes of data from SLGA.
Despite those inconsistencies, they say they have provided proof to SLGA that they have taken some of its data.
"SLGA was notified about the leak with proof samples provided to them," the hackers said.
They say they want SLGA to pay an undisclosed amount to restore their previous systems and ensure that the data that's been taken isn't released publicly.
"We have but one option for SLGA — to continue negotiations to resolve that problem and avoid data disclosure."
No tax dollars for criminals, says minister
The minister said there will be no negotiations.
"This is a criminal. This is part of a group that stole private information and is trying to get a ransom out of it," he said. "I don't want to be in a position where we're paying tax dollars for ransom to criminals. I mean what message does that send to the next hacker?"
Reiter said that as far as he knows, the Saskatchewan government has never paid a ransom to hackers. He said governments and businesses across the country have been facing a growing number of attacks like this.
CBC asked the hackers why the government should trust that they wouldn't just release the private information after receiving the ransom.
"We value our reputation," the hacker said. "Our goal is to make both parties happy in the end. We would lose much more if [we] don't keep our words than benefit from it."
They say they also have a value-added offer.
"If negotiations will be successful, we will share a detailed report with the company on all technical measures that have to be taken to improve overall security," the hackers said.
ABOUT THE AUTHOR
