The Saskatchewan Information and Privacy Commissioner released an investigation report into the SLGA Nov. 10, detailing a cyberattack that happened late last year.
According to the report, the personal information of roughly 40,000 individuals was compromised during a privacy breach of the Saskatchewan Liquor and Gaming Authority (SLGA) in December 2021.
A SLGA information technology (IT) employee noticed they were unable to connect to the web server and shortly after, the SLGA received a ransom demand. The attackers claimed that if the ransom was not paid, the attackers would publish data to the media and on the dark web, which is only accessible by special software that allows users and operators to be anonymous and untraceable.
A critical vulnerability sector was left unpatched within the system platform, creating the opportunity for a cyberattack.
The investigation explained that the breach began sometime in November, but the SLGA wasn’t able to detect suspicious activity until Dec. 25.
“What it comes down to really speaks to the importance of having a lot of oversight and monitoring of these kinds of technologies,” said cybersecurity expert Brennan Schmidt. “It really would be an advantage for these types of organizations to invest in not only the technologies to monitor it, but also to have active oversight and have people taking a look at what might be out of the ordinary.
“Instead of having individual organizations looking at this problem through their own unique lens, we can really come together and make sure there is a common baseline standard that the government can start using here.”
Approximately 40,000 individuals were affected, including current and past employees, dependents of employees, and regulatory clients. The SLGA unnecessarily retained the information of past employees (and their dependents) and regulatory clients that had not been in contact with the SLGA in the past five years. The investigation proved that the number of affected individuals could have been much smaller had the SLGA not indefinitely retained personal information that they did not need.
The attackers followed through with their treat to disclose data to the media as well as on the dark web.
Following the breach, the SLGA notified consumers and employees of the issue.
“This information may include place and date of birth, driver’s licence, height, weight, eye colour, employment history, criminal record history and financial disclosures gathered as part of the licensing/permit process for commercial liquor permits, cannabis permits and gaming/horse racing registrants,” the SLGA said in a press release.
“We have policies in place now that that should not happen going forward,” said Saskatchewan Minister responsible for the SLGA, Lori Carr.
The investigation report outlined several recommendations to the SLGA to prevent another attack including extended credit monitoring for those who request it, implementing more in-depth prevention policies and procedures to eliminate unnecessary personal information.
Carr commented on the finalized report and recommendations at the Legislature on Thursday.
“The credit monitoring one, we are going to evaluate that one and see if it is necessary but certainly not out of the question.”
“I think we have a real opportunity here for leadership,” said Schmidt. “Specifically, to put that talk into action by putting that real interest into making sure they have got the resources – the money, but also the people who can really be involved in helping out with decision making.
“What better ways to find cost savings while also improving security than to bring people together at the same table and try to address these issues as whole as opposed to individual parts.”