No warning from government that personal data was hacked: Sask. Liquor and Gaming suppliers - Action News
Home WebMail Saturday, November 23, 2024, 02:12 AM | Calgary | -11.7°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
SaskatchewanCBC Investigates

No warning from government that personal data was hacked: Sask. Liquor and Gaming suppliers

Suppliers whose data was stolen in a Christmas Day hack of the Saskatchewan Liquor and Gaming Authoritys (SLGAs) computers systems say the government never informed them that their personal data, including credit card numbers, had been taken.

Documents sent to CBC by alleged hacker contain credit card numbers, other sensitive information

On Christmas Day, Saskatchewan Liquor and Gaming's computer systems were targeted by hackers, who appear to have taken confidential information. (Neil Cochrane/CBC)

Suppliers whose data was taken in a Christmas Day hack of the Saskatchewan Liquor and Gaming Authority's computersystems say the government never informed them that their personal data, including credit card numbers, had been taken.

A man identifying himself as "Jason Walmart" called CBC recently and said he is part of the organization that hacked the SLGA'ssystems.

"We downloaded all the private and sensitive information," he told CBCin a recorded phone call."We got one-and-a-half terabytes of their confidential data."

Following the phone call, someone using the nameDr. Clement Goyette sentCBC a link to an "evidence pack" of files, which contained more than 500 megabytes of what appear to be internal SLGA documents.

They include bank records, budgets, contracts, employee data and supplier agreements.

A man who identified himself as the one who hacked SLGA files sent CBC a package of what appear to be internal SLGA documents as proof of his claim. (CBC News)

The self-proclaimed hacker said he contacted CBC because the province was refusing to negotiate.

"We tried to reach the company to provide them this information and to start negotiations. They said they don't care about the problem," the person said.

Credit card data taken

One of the documents provided by the hackers was a credit card authorization form for Manmohan Minhas, the owner of Minhas Sask, which bills itself as the province's largest distillery, winery and brewery.

The document included Minhas's corporate credit card number, along with itsexpiry date and security code, and Minhas's signature. The hackers also provided a form that Minhas Saskhad submitted to the federal government.

An array of credit cards in a pile.
A package of information sent to CBC by alleged hackers contained credit card numbers and other confidential information belonging to SLGA suppliers. (Keith Srakocic/The Associated Press)

CBC called Minhas to alert him thathis data appearedto have been taken in the SLGA hack. He said SLGA never informed him about it.

"Oh boy," said Minhas. "This is the first time I'm ever hearing about it."

He said it made him "very concerned."

"I've got to go and check out my credit cards for those months."

'I'm pretty livid': supplier

The hack happened more than three months ago.

On Dec. 28, the Saskatchewan government issued a news release about a "cybersecurity incident at SLGA" that had happened on Christmas Day.

The authority is the main distributor and sole licensing agent for the sale of alcohol in the province. It also regulates gaming and cannabis.

The Saskatchewan Liquor and Gaming Authority is the main distributor and sole licensing agent for the sale of alcohol in the province. It also regulates gaming and cannabis. (The Associated Press)

The news release said the Crown corporation had launched an investigation and that "SLGA does not have any evidence that the security of any customer, employee or other personal data has been misused."

CBC spoke with another SLGA supplier who spoke on the condition that their name not be used, due to concerns about possible negative effects on their business.

The information provided to CBC by the hackers included thecredit card information of thesource.

Like Minhas, this supplier said SLGA failed to tell them their information had been compromised.

"I'm pretty livid," they said. "I'm disappointed in the lack of transparency. I feel like they were not totally upfront about the severity of the breach."

On March 22, more than three months after the cyberattack, SLGA posted an update on its investigation.

"SLGA believes that personal information of SLGA's regulatory clients may have been accessed or taken by an unauthorized third party," the authority's website says.

The Crown corporationsaid the personal information of "gaming registrants, liquor permit applicants and cannabis permit applicants" may have been taken.

Theauthority says the information it collects includes "names, addresses, phone numbers and in some cases also includes birth dates, place of birth, drivers licence numbers, criminal records, certain medical information, financial information, previous names (e.g., birth name or maiden name), physical characteristics."

TheSLGA supplier who spoke to CBC was not impressed when they learned about that notification.

"I don't care what they put on their website. They should be contacting people directly," the supplier said. "They want to cover their ass now."

SLGA responds

In an email to CBC, the Liquor and Gaming Authoritysaid shortly after the hack, it contacted its employees and former employees directly, notifying themthat their data may have been compromised.

The organization also said"credit monitoring was offered to employees immediately."

SLGA's statement saysnothing about notifying its customers or suppliers about a possible breach of their data. The statement also says nothing about offering credit monitoring to anyone other than its employees.

The authority says it knows that its "data was access by criminals," but itdoesn't know precisely what was taken or what those criminals may havedone with the information.

"We have not had sufficient evidence to indicate what information was taken," says the SLGA's statement. "Nor has there been any information to suggest it had been misused."

Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, said SLGA's response is utterly baffling, given that it hasfailed to contact all the people who may have had their data stolen.

"How do they know whether or not a customer's credit card info isbeing misused if they haven't let the customer know?" Callow wondered.

He saidthat since the SLGA knows so little aboutwhat was taken in the hack, it should have assumed the worst.

"If they cannot specifically identify the scope of the attack, and what information was taken and what wasn't, they have to err on the side of caution and let people know that their information may have been taken," he said.