LockBit's third-party compromise of Canadian government personnel data.
N2K logoNov 21, 2023

Privateers raid a complicated IT supply chain.

LockBit's third-party compromise of Canadian government personnel data.

The Treasury Board of Canada Secretariat has disclosed a third-party data breach in which contractors handling information of members of the Canadian Armed Forces, the Royal Canadian Mounted Police, and other Canadian government employees were compromised by LockBit.

Affected contractors handled relocation services.

The two affected contractors were Brookfield Global Relocation Services (BGRS) and SIRVA Canada. BleepingComputer says the compromised information goes back to 1999. While Canadian authorities didn't offer an attribution of the attack to any particular group, LockBit, the privateering and profit-motivated Russian ransomware gang, has claimed the SIRVA compromise and is probably responsible for the breach at BGRS as well. According to BleepingComputer, LockBit says it has 1.5TB of stolen documents, and that SIRVA declined to pay the ransom demanded. "Sirva.com says that all their information worth only $1m. We have over 1.5TB of documents leaked + 3 full backups of CRM for branches (eu, na and au)," the gang said on its leak site.

Compromise of personal data could compromise security questions.

Sean McNee, VP of Research and Data at DomainTools, observed that complex supply chains give criminal organizations considerable scope for their operations. "The modern interconnected supply-chain within which large enterprises and governments operate creates opportunities for persistent threat actors, such as LockBit, to operate. This is true regardless of how well-designed or implemented these networks are--their required complexity unfortunately invites unwanted attention."

McNee thinks the Canadian government is handling the incident with commendable transparency. "We applaud the Canadian government here for the transparency, decisiveness, and speed with which they reported this event as well as the actions they are taking to support their affected citizens. We advise all Canadian citizens who were impacted to take reasonable precautions with their online data: replace any documentation that the government advises, monitor your credit reports for any suspicious or fraudulent activities, ensure you have strong and unique passwords to critical online accounts, and enable multi-factor authentication when possible. 

There are some perhaps surprising implications of the breach for security questions. The answers to these often involve information that could have been compromised in a breach of this kind. McNee suggests, "Given the nature of the data which LockBit stole, we also suggest citizens consider changing the answers to any security or account recovery questions they have to critical online accounts, as the 'correct' answers to such questions, like, 'What street did you live on in 2005?' could be contained in the leaked information."

A particular risk to police and military personnel.

Colin Little, Security Engineer at Centripetal, thinks that the damage this breach inflicted is unusually serious and enduring. "The theft of relocation information for these particular public service, law enforcement, and armed services individuals has a tragic and far-reaching impact," he wrote. "For example, members of those organizations have a higher degree for a need of privacy as they may have enemies: people they have put in jail, for example, or LE/AF personnel whose job it is to go undercover. The damage to the affected individuals is made unimaginably worse by the possibility that the stolen data is not only theirs, but their families' data, their wives and children's names, current and former addresses, and the list goes on."

Little sees the cybersecurity community as owing police and military personnel a debt of honor. "This is damage and risk that can't be met with identity monitoring services alone, or by changing a password, or using MFA from now on. It's possible the damage and risk are, in ways, irreversible. The victim groups themselves are honor-bound to serve, protect, and defend. Cybersecurity personnel are thus honor-bound to serve, protect, and defend them, and we failed. We must find a way to stop organized threat actor groups from getting into systems with sensitive data and stealing it before it happens."