Internal documents from the provincial government appear to have been posted online, one week after provincial government servers were hit with a ransomware attack.
The internal documents include financial reports, bank statements and payment details from the Agri-Stability program, a crop insurance program designed to protect farmers against unexpected losses. Some of these documents include personal information, including SIN numbers, names, contact information and business numbers.
A website purporting to be from a ransomware organization known as Maze posted the files on Sunday. The website suggests the documents are “proof” of the cyber-attack and are part of a further 200 GB of files stolen from the provincial government.
“We are aware of a very limited breach that has occurred in relation to the ransomware event,” read a statement issued late Monday by the Department of Finance.
“The impacted citizens are being communicated with personally, as soon as the data can be verified and validated.”
The statement said an investigation into the attack is ongoing. A representative of the Department of Finance said information from the site in question could pose a risk to individuals of malware infection.
"It takes weeks to complete a forensic analysis to work out what did or did not happen. The absence of evidence isn't the evidence of absence."
On Sunday, Feb. 23, Information Technology staff with the province detected a ransomware threat. A news release issued two days later claimed that there was “no reason to believe that Islanders’ personal information has been affected.” The release said a small number of government servers had been encrypted by the attack, effectively locking out provincial staff from their systems.
Brett Callow, a B.C.-based threat analyst with the firm Emsisoft, has been tracking the group Maze since the beginning of this year. He believes it was premature to claim that no personal information was affected.
"That's a largely meaningless claim. It takes weeks to complete a forensic analysis to work out what did or did not happen," Callow said.
"The absence of evidence isn't the evidence of absence."
In late January, Maze targeted the Canadian construction company Bird Construction, a company that has had contracts with the Canadian military. The same group appears to have carried out another ransomware attack on the Manitoba-based insurance firm Andrew Agencies as well as the city of Pensacola, Florida in December.
Callow said there have been over 40 attacks linked to the group since the beginning of the year.
"In the past this group has also posted the data in Russian hacking forums with a note to use this information in any nefarious way that you want," Callow said.
"So this is a very bad thing for the individuals whose data has been compromised. They are sitting ducks for identity theft and other forms of scams."
Callow added that ransomware attacks, which often rely on phishing scams through electronic communication, are often preventable.
Tim Weber, director of security services at the US-based firm ADNET Technologies, said the Maze group has targeted both private companies and municipalities in the US.
“They're one of the bigger purveyors of ransomware. What we've seen is that they've really kind of upped the game in terms of not just encrypting the data but releasing it if people aren't paying ransom," Weber said.
"I can tell you as an IT security person, I like to call that the nightmare scenario."
Weber said he sympathized with IT staff working with P.E.I.’s government.
He said the early statement denying a risk of a data breach may have occurred before the full extent of damage from the cyber attack was known.
"There's a fog of war that happens initially. It sometimes takes a chunk of time to actually understand what in the world just happened to us," Weber said.
"This is the start of a couple-week period of recovery for them."
As of Monday, court services were still being impacted by the ransomware attack. A criminal hearing was cancelled after staff could not access their system.
Provincial staff said they are working with the Canadian Centre for Cyber Security and have also reached out to the province’s information and privacy commissioner.
- UK's financial watchdog flags data breach on website
- MGM Resorts sued over data breach that possibly involved 10.6 million guests
- U.S. agency that handles Trump's secure communication suffered data breach
- Shaw informs customers of data breach six months after incident
- Desjardins Group data breach hit all 4.2 million members: Quebec finance minister
- No data breached during attack on P.E.I. government website, says finance minister