Members of Anonymous are claiming responsibility for leaking a trove of personal data that includes the names, email addresses, phone numbers, and partial credit card information of government employees.
The information was dumped from an online database belonging to the Intelligent Transportation Systems (ITS) Society of Canada, and was posted online shortly before noon on Tuesday.
The leak includes private sector companies and industry groups, as well as employees from a swath of transportation-related government departments from municipal governments in Toronto, Ottawa, Montreal and Calgary; provincial governments of Ontario and Alberta; and federal departments such as Foreign Affairs, Trade and Development Canada, Environment Canada and Transport Canada.
In the group's chatroom, a user named ro0ted claimed to still have access to the site when contacted by Motherboard Tuesday afternoon, about three hours after the database was first posted to a document sharing website. The user declined to say how long Anonymous had access to the site, nor how many people were involved in the attack.
In response to a voicemail message left with ITS Canada, administrative manager Janneke Poelking said her group "was made aware of the hacking of our website by a member of ITS Canada. We are working with Biz-One on this at this moment, and this is all that I can say."
Biz-One is listed as the developer of the ITS Canada website, and had not responded to a request for comment by Tuesday evening. Motherboard left a voicemail message with its president and CEO Julie King.
Those responsible claimed that everything in the database was stored in plaintext, or unencrypted. Passwords, the last four digits of credit card numbers, and what appears to be the financial amounts of transactions can all be readily identified in the dump.
ro0ted said the leak was in "retaliation for the passing of Bill C51"—a controversial piece of Canadian anti-terrorism legislation recently signed into law—and claimed the attack was the third in a series of attacks that other Anonymous members have deemed #OpCyberPrivacy. However, a representative for #OpCyberPrivacy contacted by Motherboard denied any responsibility for the leak.
"#OpCyberPrivacy has not and will continue to not release any manner of private information," a representative wrote. "The documents leaked were the work of a small group unaffiliated with the main operation, whereas we have on several occasions voted against such actions. #OpCyberPrivacy officially denounces such action as anti-privacy. NO Canadians data should ever be leaked. It is against all we stand for."
In #OpCyberPrivacy's first attack, several federal government websites—including the Canadian Security and Intelligence Service, were rendered temporarily inaccessible in a distributed denial of service (DDoS) attack. For the group's second attack, the website of la Fraternité des policiers et policières de Montréal was defaced.
ro0ted said their group has a list of future targets, but no schedule for attacks. One user who went by the name of Doemela in the chatroom said that the attackers "scan domains beloging [sic] to Canada" and "when there is a vulnerability it is investigated further."
"We said we would respond in order to prevent the NSA and other intelligence contractors from the further invasion of our privacy and violation of our rights," Doemela said.
Correction 23/06: An earlier version of this article attributed the hack to users associated with an Anonymous campaign called #OpCyberPrivacy. However, members of the campaign claim they were not involved. This article has been updated, and Motherboard regrets the error.