No warning from government that personal data was breached: Sask. Alcohol and gaming providers
Vendors whose data was taken in a Christmas Day hack of Saskatchewan Liquor and Gaming Authority computer systems say the government never informed them that their personal data, including credit card numbers, had been taken.
A man identifying himself as “Jason Walmart” recently called CBC and said he was part of the organization that hacked into SLGA’s systems.
“We downloaded all private and sensitive information,” he told CBC in a recorded phone call. “We obtained a terabyte and a half of their confidential data.”
Following the phone call, someone using the name Dr Clément Goyette sent CBC a link to an “evidence dossier” of files, which contained over 500 megabytes of what appear to be internal SLGA documents. .
They include bank statements, budgets, contracts, employee data and supplier agreements.
The self-proclaimed hacker said he contacted CBC because the province refused to negotiate.
“We tried to reach out to the company to provide them with this information and start negotiations. They said they didn’t care about the issue,” the person said.
Credit card data taken
One of the documents provided by the hackers was a credit card authorization form for Manmohan Minhas, the owner of Minhas Sask, which bills itself as the province’s largest distillery, winery and brewery.
The document included Minhas’ corporate credit card number, along with its expiration date and security code, along with Minhas’ signature. The hackers also provided a form that Minhas Sask had submitted to the federal government.
CBC called Minhas to warn him that his data appeared to have been taken during the SLGA hack. He said the SLGA never told him.
“Oh my God,” Minhas said. “It’s the first time I’ve heard of it.”
He said it made him “very worried”.
“I have to go check my credit cards for these months.”
“I’m pretty livid”: supplier
The hack took place more than three months ago.
On December 28, the Government of Saskatchewan issued a press release about a “cybersecurity incident at SLGA” that occurred on Christmas Day.
The authority is the primary distributor and sole licensing agent for the sale of alcohol in the province. It also regulates gambling and cannabis.
The press release states that the state-owned company has launched an investigation and that “SLGA has no evidence that the security of any customer, employee or other personal data has been misused.” .
CBC spoke with another SLGA supplier who spoke on the condition that his name not be used, due to concerns about possible negative effects on his business.
The information provided to CBC by the hackers included the source’s credit card information.
Like Minhas, this provider said SLGA did not tell them their information had been compromised.
“I’m pretty livid,” they said. “I’m disappointed with the lack of transparency. I feel like they weren’t completely upfront about the seriousness of the breach.”
On March 22, more than three months after the cyberattack, the SLGA released an update to its investigation.
“SLGA believes that the personal information of SLGA’s regulatory customers may have been accessed or taken by an unauthorized third party”, the authority’s website says.
The state corporation said the personal information of “gaming registrants, liquor license applicants and cannabis license applicants” had been seized.
The authority says the information it collects includes “names, addresses, telephone numbers and, in some cases, dates of birth, place of birth, driver’s license numbers, criminal records, certain medical information, financial information, previous names (e.g. birth name or maiden name), physical characteristics.”
The SLGA supplier who spoke to CBC was unimpressed when he learned of the notification.
“I don’t care what they put on their website. They should contact people directly,” the vendor said. “They want to cover their ass now.”
In an email to CBC, the Liquor and Gaming Authority said shortly after the hack, it contacted its employees and former employees directly, advising them that their data may have been compromised.
The organization also said that “credit monitoring was immediately offered to employees.”
SLGA’s statement is silent on notifying its customers or suppliers of a possible breach of their data. The statement also says nothing about offering credit monitoring to anyone other than its employees.
The authority says it knows its “data was accessed by criminals,” but it doesn’t know specifically what was taken or what those criminals may have done with the information.
“We did not have sufficient evidence to indicate what information was taken,” the SLGA statement said. “Nor has there been any information to suggest it was misused.”
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said the SLGA’s response is quite baffling, given that it failed to contact everyone who may have been steal their data.
“How do they know if a customer’s credit card information is being misused if they haven’t told them?” Callow wondered.
He said that since the SLGA knows so little about what was hacked, it should have assumed the worst.
“If they cannot specifically identify the scope of the attack, and what information was taken and what was not, they should err on the side of caution and let people know that their information may have been taken,” he said.