While the ransom demanded by the software used in a 2020 cyberattack wasn’t paid, an IT expert says Saskatchewan residents aren’t out of the woods.
A report recently released by Saskatchewan’s Information and Privacy Commissioner (IPC) notes that roughly 547,000 of the files stolen by ransomware from provincial health care servers last January likely contained personal information.
That data is still at large and could be worth big money, as much as $1,000 USD per file, on the dark web.
“Health information is particularly lucrative on the dark web,” said Dr. Alec Couros, a University of Regina Information and Communications Technologies professor.
“This information can provide a really long history and a lot of complete information, and typically goes for more money on the dark web as opposed to credit cards which actually go for very cheap.”
Couros says health care information can include names, addresses, dates of birth, credit card information, health care numbers, medical conditions and more.
That can be used for everything from blackmail to identity theft.
“The more full and complete this record can be the more damaging it can be to an individual,” Couros said.
Couros said “fullz”, a term used to describe a file that contains all of the necessary information to confidently identify an individual, can fetch as much as $1,000 USD on the dark web.
He said that if enough fullz could be formed through the stolen data, the data could be worth millions of dollars on the dark web in total.
Sparked by a Saskatchewan Health Authority (SHA) employee plugging a personal device into a workstation in late 2019, the cyber attack in question was able to infiltrate connected digital infrastructure between the SHA, eHealth Saskatchewan and the Ministry of Health.
Around 40 gigabytes — over 5.5 million files — were stolen in total.
The files were encrypted, making their specific contents undeterminable. But using specific search techniques, such as looking for files containing a 9-digit number, eHealth Saskatchewan was able to estimate that 547,145 files potentially containing personal information or personal health information were stolen from across the affected organizations.
The IPC’s report made 25 recommendations aimed at addressing information security at the affected organizations.
Among them was a call for eHealth to continue monitoring the dark web for the stolen information for at least five years. His report shows that through SaskTel, eHealth Saskatchewan hired Hitachi Systems Security on January
On Friday Health Minister Paul Merriman promised to examine each recommendation individually, including the idea of dark web monitoring.
“We’re continuing to see if anything pops up. And, if anything does pop up then we will work with any individual that needs some reassurance that their privacy hasn’t been breached or isn’t being sold or they don’t have identity theft,” Merriman said.
But Couros said that because digital information can be infinitely duplicated, and because the core principle of the dark web is keeping its users anonymous, successfully monitoring such activity is a tall order.
“What Tor (the open-source software used to browse the dark web) does, is it creates several layers of IP addresses so you don’t actually know where the source computer is. Once you’re on there everyone is anonymous and it’s very difficult to find someone,” he said.
He added that many such dark web transactions deal in cryptocurrencies like Monero and Bitcoin, and that there isn’t much an individual can do after losing this information to confidently recover it.
“That would make a transaction much more discreet and secure than, say, a Western Union transaction. So you’re anonymous. You can’t trace the money. It makes it much easier to deal with illegal goods. And, even if you were able to find these digital goods sold on the dark web, that doesn’t mean they aren’t being sold by many people.”