[Security Weekly] Canadian Federal Government Exposed Personal Details of 144,000 Citizens
3rd Week of February 2020
1. Personal information of 144,000 Canadians breached by federal government
According to a report from the Canadian Broadcasting Corporation (CBC) published last Friday, the federal government of Canada has compromised the personal information of over 144,000 Canadians over the past two years. The situation was first revealed in the House of Commons during an answer session to an order paper question filed by Conservative MP Dean Allison.
The 800-page answer contained records of 7,922 breaches from 10 agencies during the past two years. The Canada Revenue Agency (CRA) suffered the most with a record of 3,020 breaches affecting 59,065 individuals, followed by Health Canada with 122 breaches affecting 23,894 people. Some of the other major entities impacted include the CBC, Canada Post, Environment Canada, as well as Immigration, Refugees, and Citizenship Canada. Many of these agencies hold sensitive data, such as passport information and social insurance numbers. A leak of such information would likely lead to identity theft and fraud.
The CRA confirmed that most of the breaches were due to security incidents, misdirected mail, and employee misconduct. However, the details of each incident are not made available to the public. What’s more concerning is that not all victims affected were properly informed.
Victims are now seeking class-action lawsuits against these government entities for financial compensation. Nonetheless, expenditures on the legal process and compensation payouts ultimately come out of the taxpayers’ pockets. This should be the time for the Canadian government to take information security seriously. Investing in cybersecurity upgrades will prevent greater aggregate loss in the long run.
2. Hackers threaten Google AdSense customers with account demonetization unless ransom is paid
Earlier this week, many customers of Google AdSense reportedly suffered extortion attacks where hackers threatened to get their AdSense account suspended unless they pay $5,000 worth of bitcoin. All the threats were received by email.
Where Google Ads serves advertisers, Google AdSense serves website publishers. Customers lend advertising space on their website to AdSense so that AdSense can provide ads that are targeted at the site visitors’ interests. AdSense then pays the customer every time a conversion (e.g. a click) occurs.
To prevent fraud, AdSense has a detection system so that if a banner ad receives a significant amount of automated or invalid traffic, it will suspend the publisher’s account. The hackers took advantage of this detection system by threatening website publishers to flood its ads with invalid traffic so that its AdSense account would get suspended.
These threats can be quite effective because, for many web publishers, revenue made from selling advertising space exceeds the $5,000 demanded by the hackers.
Some security experts have called these attacks a new form of DDoS attacks. Instead of disrupting service for a few large organizations, this new strategy can attack a large number of small businesses at the same time, who are more likely to pay the relatively small ransom.
Google seems to be aware of such threats and has been working to improve its detection system so that potential invalid traffic can be identified before ads are served.
3. Ransomware hits U.S. gas pipelines
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States’ Department of Homeland Security published an advisory on Tuesday, disclosing a ransomware attack that affected a natural gas compression facility, followed by a guideline helping all other infrastructure operators to prepare for such incidents.
Though CISA did not reveal when the attack took place, it did provide the details of the incident. The attackers initially sent a phishing link to the organization, which helped them gain access to a computer in its IT network. They then found their way into the computers of the operational network which monitor the plant, encrypting all the data on the way.
Fortunately, the ransomware was said to only affect Windows systems and thus did not cause any damage to the plant’s equipment. However, since the data in both its IT and operation networks were compromised, the facility along with the whole pipeline had to shut down for two days to recover.
According to CISA, apart from failing to detect the phishing email, the organization could have stopped the attack from spreading if they had air gapped1 their operational network from their IT network.
Cyberattacks were not included in the emergency response manual of the plant. Even though ransomware attacks on governments and infrastructures are on the rise, many are still far from being prepared. (It is especially important for organizations to protect all layers of their IT system to eradicate any weaknesses. Learn more at WAPPLES.)
1 Air Gapping is when a secured computer network is isolated from an unsecured network, or when two secured networks are isolated from each other for enhanced safety.
4. Personal information of 10.6 million MGM hotel guests posted on hacking forum
According to an exclusive report published by ZDNet, more than 10.6 million people who have stayed at the MGM Resorts hotel chain had their personal and contact information posted on a hacking forum online.
ZDNet reached out to the customers on the list to verify that they had all stayed at MGM Resorts. After contacting the hotel chain, a correspondent quickly responded and confirmed the incident through email. The cybersecurity team at MGM was able to track the leaked data to an incident that happened last year. MGM also claimed that they had notified all customers who were impacted right after the breach happened.
The good news is that no payment information was compromised. However, the bad news is that such information is likely to be used for further illegal activities. Since the customers involved included celebrities, CEOs, reporters, and employees of government agencies and large corporations, their contact information could be used for sim-swapping, as well as for spreading phishing emails and SMSs targeting governments and corporations.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Web Application Firewall for Cloud: WAPPLES SA
Database Encryption: D’Amo
Smart Car Security: AutoCrypt