After London Drugs confirmed in a statement that hackers are trying to ransom reams of stolen data — which may include employee information — stemming from a high-profile cyberattack, the spotlight is once again on the cybersecurity of Canadians.
“London Drugs is unwilling and unable to pay ransom to these cybercriminals,” the company said in a statement, which comes amid a growing number of hacks and security breaches in recent years.
The Canadian Centre for Cyber Security at the Communications Security Establishment (CSE) said in its National Cyber Threat Assessment report that ransomware was “certainly the most disruptive form of cybercrime and is a persistent threat to Canadian organizations.”
“A ransomware incident can incur significant costs on an organization and can disrupt things like the movement of essential goods and services and the delivery of critical services to Canadians. In some cases, a ransomware incident could lead to impacts on Canadians’ safety and wellbeing,” CSE spokesperson Ryan Foreman told Global News in a statement.
However, individuals and organizations can take several steps if they worry their data could be at risk.
What can individuals do?
The Financial Consumer Agency of Canada recommends that individuals regularly change their passwords, review bank account and credit card statements on a regular basis and report any errors on their credit reports and any unauthorized bank transactions immediately.
The agency said if you think you’ve been the victim of a data breach, contact your financial institution and any other companies where your account has been compromised. They also recommend contacting Canada’s two main credit bureaus, Equifax and TransUnion.
You can ask the credit bureaus to place a fraud alert on your credit report, which they will do after confirming your identity.
You can also contact the Canadian Anti-fraud Centre, which is jointly managed by the Royal Canadian Mounted Police, the Ontario Provincial Police and the Competition Bureau Canada.
Equifax says data breaches can differ in terms of sensitivity. A “least sensitive” data breach could involve a person’s name and address, in which case you should change your password immediately.
A “moderately sensitive” data breach could include email addresses, birth dates and card numbers such as the ones that can be found on your credit and debit cards. This is when Equifax recommends you notify your bank.
If there is a breach of your social insurance number, passwords to online accounts, financial account numbers and payment card security codes that are generally found on the back of your card, then the breach is considered “most sensitive.”
In such cases, it is recommended that you notify Equifax and TransUnion.
What can organizations do?
The CSE said organizations should contact their Cyber Centre if they have been the victim of a ransomware attack.
“Develop, test, and implement a backup plan for your organization that ensures your backups use ultra-resilient media, such as offline, air-gapped, or immutable, to prevent ransomware from impacting your ability to recover,” Foreman recommended.
He said organizations also need to develop an incident response plan, run frequent system updates and vulnerability scans, and protect data with encryption.
Companies can also implement network security zones to control and restrict access to specific systems and data, and restrict data communication flows to certain systems or zones.
“(Organizations should) use secure administrative workstations to separate sensitive tasks, manage administrative privileges and accounts, and enforce multi-factor authentication (MFA) on accounts and devices wherever possible,” Foreman said.
The CSE also has a Ransomware Playbook that organizations can use to develop an action plan against such incidents.
The London Drugs case
In a statement, London Drugs said there remained no indication that customer or “primary employee” data was accessed. But it confirmed that the attackers were able to steal files from its corporate head office, some of which may include employee information.
“London Drugs is taking all available steps to mitigate any impacts from these criminal acts, including notifying all current employees whose personal information could be potentially impacted,” the company said.
The attackers are seeking a ransom of $25 million and threatening to post the stolen data on the dark web, according to threat analyst Brett Callow, with New Zealand-based cybersecurity company Emsisoft.
–with files from Global’s Simon Little