News

Hackers Held Data on 5,000 Canadians Hostage and the Government Didn’t Tell Anyone

Last year, a clever piece of code grabbed the computers of a foreign company, and held them hostage — detaining information on 5,000 Canadian passport applicants in the process.

The malware demanded an undisclosed sum of money, or else all the computer’s data would be encrypted forever, effectively locking it and throwing away the key.

Videos by VICE

This type of virus, often referred to as ransomware, is becoming increasingly prolific, reportedly favored by hackers in Russia looking for an effective payoff. The malware, usually installed by convincing an unwitting user to click a malicious link, demanding anywhere from $200 to $5,000 — usually in bitcoin — in a set amount of time, marked by a countdown clock.

That’s exactly what happened to one unnamed company that happened to be housing a significant amount of Canadians’ personal data for unknown reasons. 

A report from the Canadian Cyber Incident Response Centre (CCIRC), obtained through Canada’s access to information regime, revealed the hack.

“Canadian passport information encrypted by ransomware: CCIRC received a request for assistance from a foreign company that had recently suffered a Cryptowall infection. The ransomware had encrypted a computer containing the information of approximately 5000 Canadian passport applicants,” the document reads.

cw-cost-5001.png

Image via NakedSecurity

The CCIRC informed the company that recovering the files was unlikely, and that paying the ransom wouldn’t guarantee the return of the files. The center provided advice on how to prevent future ransomware attacks. The report doesn’t say what happened to the 5,000 passport applications.

The software used in the hack, Cryptowall, is one of the more common strains currently causing headaches around the world. American police departments have been hit particularly hard. Some departments opt to pay the ransom, some opt not to.

The FBI estimated that just one type of the malware netted $27 million in a single year.

And while early versions of ransomware would simply encrypt users’ hard drives, then destroy the decryption key if users don’t pay, new variants — especially CryptoWall — are much more insidious. They can infect entire networks, and use spyware to steal information and send out further malicious emails to the users’ address book.

“While the victim is distracted by CryptoWall’s extortion, the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets,” wrote one security engineer in March.

The RCMP announced Wednesday that it would be bolstering its cybercrime presence in order to try and catch hackers like those behind CryptoWall.

Asked about the hack, Immigration, Refugees and Citizenship Canada (IRCC) — the department responsible for passport applications — admitted that it was aware, and never made the breach public.

“IRCC learned of this data breach in December 2014,” a spokesperson for the department said in an email. “It was not an IRCC privacy breach as it was not related to any IRCC departmental systems nor was this information under the control of the Government of Canada, and therefore IRCC was not able to contact those affected.”

It’s unclear why the foreign company had the passport application at all, or what action Ottawa took after finding out about the hack.

The Office of the Privacy Commission, meanwhile, confirmed that they were not informed of the data breach.

New laws adopted last year will force companies to report all data breaches pertaining to Canadians’ personal information to the government, although those rules have not yet come into force.

Follow Justin Ling on Twitter: @justin_ling

Image via Flickr user Rachel Johnson